Forgot your password?
typodupeerror
Internet Explorer The Internet Bug Security

New IE Holes Discovered 801

Posted by CowboyNeal
from the yes-even-more dept.
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
This discussion has been archived. No new comments can be posted.

New IE Holes Discovered

Comments Filter:
  • by The Analog Kid (565327) on Saturday November 29, 2003 @09:14AM (#7587007)
    ...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.
  • by charlieafrid (654116) on Saturday November 29, 2003 @09:16AM (#7587024) Homepage
    I just downloaded the latest IE patches this morning and now IE wouldnt even start....its doing nothing. Time to move my bookmarks to the firebird....tonight.
  • Forced? (Score:5, Interesting)

    by Call Me Black Cloud (616282) on Saturday November 29, 2003 @09:17AM (#7587025)
    the millions of people who are forced to use Microsoft products

    I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.

    Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.
  • by Anonymous Coward on Saturday November 29, 2003 @09:17AM (#7587027)
    i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.

    maybe it's stuff like this that we need, and more people should get their families exposed to it...

    momentum, people, momentum.
  • by mindstrm (20013) on Saturday November 29, 2003 @09:20AM (#7587038)
    On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.

  • by fleener (140714) on Saturday November 29, 2003 @09:26AM (#7587076)
    > make it worse for the millions of people who are forced to use Microsoft products

    It's bad that enough nerdy Microsoft Windows users must endure the incessant rudeness of Linux users to get their 'news that matters' on Slashdot. But for CowBoy Neal to permit a discussion topic that implies we are slaves to Microsoft is just plain offensive. Did you ever once consider we might feel liberated to use Microsoft products? It's like looking out into the ocean, seeing a swarm of sharks feeding in the surf, and then choosing to paddle out to ride the waves. It's an adrenaline rush.

    Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it.
  • by fermion (181285) on Saturday November 29, 2003 @09:37AM (#7587118) Homepage Journal
    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.

    This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.

    This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.

  • by Anonymous Coward on Saturday November 29, 2003 @09:43AM (#7587155)
    Well, yeah. And the problem with this is...?

    If you wanted a fix in a version of Apache, they'd tell you to upgrade. Yes, you could go through out the source code, figure out the fixed lines, and apply them to your Apache 1.2.14 setup. Of course, its just easier to upgrade.
  • by HohlerMann (410170) on Saturday November 29, 2003 @09:46AM (#7587163) Homepage
    Side one - Internet Explorer badly coded, so there's lots of vulnerabilities.

    Side two - Since Internet Explorer is used so widely, there's a lot more people looking for problems with it, and the ratio of bugs found to the number of users is moderatley comparable to any other browser.

    An interesting study would be a comparison between the number and kinds (garbled text to root exploit) of bugs known for each browser (what's the cut-off point? any bug from the first alpha version to the "final" version? Or just for the current revision?) versus the number of approximate users.
  • by krbvroc1 (725200) on Saturday November 29, 2003 @09:50AM (#7587175)
    hey folks, this was posted to bugtraq some two months ago.

    That is why I don't understand what all the hoopin' and hollerin' is all about. Microsoft has known about this for quite some time. In addition, two months ago when the demonstration/exploit was make publicly available the author clearly stated that one of the exploit techniques had been documented for over 2 years.

    I'm curious for those here who think this should have been reported to MS first, please post the email addr or website where one would report this -- that would be a public service. I dont have a lot of faith they would have acted even if told -- but for future reference.
  • by erp6502 (725641) * on Saturday November 29, 2003 @09:51AM (#7587182)
    Huh. From R'ing TFA [ntbugtraq.com], it seems there is an exploit using five new security holes disclosed on 11/25/03, not the seven originally reported on 9/11/03.
  • by whysanity (231556) on Saturday November 29, 2003 @09:53AM (#7587190) Homepage Journal
    I whole-heartedly agree with you. However, consider this scenario:

    If every time you reported a problem to your boss and he/she laughed in your face, after about a dozen time or so you'd be fed up. No doubt you'd forgo the customary warning and go above that person's head (which in this case just happens to be the public).

    Let's not even mention how long it takes Microsoft to get around to bug reports on thier own betas. I mean the entire purpose of these programs is to find problems, and I have waited a month+ for some issues to be addressed.

    Maybe they're dumb, stupid, or slow... or maybe over the years they've gained the beaurocracy(sp?) of IBM.
  • by Locutus (9039) on Saturday November 29, 2003 @09:59AM (#7587220)
    Isn't this a term used for having to deal with the issues related to choices made? Why should anybody expect others let Microsoft sugar coat the mess they released on the world? Those who use MS products must pay the price of such a choice. Those who consider they have no choice because IT gives them no choice have to play on the theadmill Microsoft and their IT departments put them on and should make their IT staff fix the problem. IMHO.

    When will Microsoft go to court for all of this crap? Can you imagine purchasing a new car and seeing a note on the seat. You open the door of your new car and read the note. It says that the auto maker has no responsibility to how the car works or if it will work.... The auto makers can't pull the kind of EUL that Microsoft gets away with. Yet no lawsuits. What gives?

    LoB
  • by Yaa 101 (664725) on Saturday November 29, 2003 @10:05AM (#7587253) Journal
    These big companies have their mouth full of punishing people that tell they found holes in applications.
    Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
    Let them pay for the info on security problems...
    No payment, no bug reports, period.
    They can take care of themselfs? ok let them solve their own problems...

  • A little slow... (Score:2, Interesting)

    by 4A6F656C (530559) on Saturday November 29, 2003 @10:05AM (#7587258)
    This was first posted on Bugtraq [securityfocus.com] several days ago, five days ago to be precise... Looks like Yahoo and the rest of the media are just starting to catch on now...

    It is a *new* security exploit, based on several new security holes that Li Die Yu found. Given Microsoft's history of rapid responses, I guess one could be forgiven for not even attempting a notification. Has anyone seen a patch from Microsoft yet? ;)

    Oh, and the way to avoid potential future exploits, disable scripting within the Internet zone... (or use another browser!)

  • by pjrc (134994) <paul@pjrc.com> on Saturday November 29, 2003 @10:12AM (#7587287) Homepage Journal
    this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.

    I believe the current "best practice" is to wait at least 1 week for the vendor to initially respond... and to give them at least 1 month to create a patch if they (privately) acknowledge the problem.

    But giving them ZERO hours is about as bad as it gets.

  • by binner1 (516856) <bdwalton AT gmail DOT com> on Saturday November 29, 2003 @10:16AM (#7587312) Homepage
    I agree with you in theory, but if you look at it from the perspective of "how do you get the average user interested in alternatives?" angle, this might be the way to go.

    Consider that people use IE because "it's there," and not generally for any other reason. These people are going to continue to do so until the consequences are too high. Really, the same should apply to corporations too. The more often they get bent over, and the rougher those encounters are, the more the point gets "driven" home...I've been on a campaign lately trying to get people to switch from IE. I've been pushing Netscape 7.x instead of Mozilla though, as I find explaining the difference is tedious to say the least. I'd prefer if they used the AOL-brand free version, but Netscape is better than nothing.

    Really, this should go for all MS products with shoddy track records. Any time you have to explain why "the computer was infected with another virus, even though you had AntiVirus software," be very _blunt_ about the reasons. Internet Explorer was designed to kill Netscape, not be secure..."Yes, you're virus signatures were up-to-date (not likely), and you still got a virus." That's because MS knew about the problem 3 months ago but it wasn't made public so they didn't fix it. It's not Norton/McAfee's fault. This virus didn't exist until yesterday...

    Now, I'm not saying I think every use should immediately switch to Linux, but I do recommend Mac OS X quite often. I know that nothing is perfect, but it's time people started using _anything_ other than Windows and IE. Don't hide the flaws of the other systems. Yes, Mac OS X did have a problem recently. Nothing is perfect. Most things just happen to be more perfect than Windows and IE.

    -Ben
  • by squiggleslash (241428) on Saturday November 29, 2003 @10:20AM (#7587330) Homepage Journal
    Absolutely.

    I have a neighbour whose computer is currently fried - it'll apparently not boot at the moment, and needs a reinstall of whatever version of Windows it runs. She came over recently and said at some point she needs to use the Internet, and when I offered to let her use my connection said "Oh, I'd be using it for hours".

    So I offered her a laptop. I told her if she makes sure she uses it on the side of the appartment closest to mine she'd be within range of my wireless network "so you'll not have to do anything, just switch it on and start browsing".

    "Oh" she said, obviously hearing words like "wireless" and "network" and "browser", "That sounds far too complicated!"

    I am still gobsmacked about that one, but you're right: it's the words. The more you try to explain to someone how much better (or even how much easier) something is, the more complicated they assume it is. And that really works against you when trying to explain how much simpler something is because by default they assume they'll have to do all the stuff they do now: if you explain they'll not need to, it's hard to word it in such a way that it doesn't sound complicated to a non-technical user.

    I suspect that's Mozilla's real problem (and the problem with so many platforms previously that were technically superior, and much more user friendly) - the technical people are the ones who realise the benefits, so everyone assumes you have to be a genius to use them.

  • Hoo boy (Score:2, Interesting)

    by Mr. Darl McBride (704524) on Saturday November 29, 2003 @10:33AM (#7587398)
    From the article:
    Cooper said, however, he was not yet concerned about the security holes because of the inactivity.

    "There just aren't any new attacks being made" on Internet Explorer, he said

    1. What amazing arrogance
    2. What amazing encouragement

    Somebody get this guy off the stage.

  • by TheLink (130905) on Saturday November 29, 2003 @10:33AM (#7587400) Journal
    Look at the researcher's site:

    http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/ [safecenter.net]

    There used to be a bigger list at: http://www.pivx.com/larholm/unpatched/ but hey MS didn't do anything about it.

    So might as well just report it directly to the public and skip all the MS BS.

  • by pjrc (134994) <paul@pjrc.com> on Saturday November 29, 2003 @10:35AM (#7587409) Homepage Journal
    Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.

    Undoubtedly, you would look upon the history of the last few years, where virtually all attacks (manual and automated in virus/worm code) have exploited known bugs for which patches had been available for weeks or months, and say "that's not PROOF".

    And in a mathematical sense, that would indeed not be "proof".

    The best anyone can offer you is a "preponderance of the evidence", which might even be "beyond a reasonable doubt" that virtually all sucessful attacks have exploited known vulnerabilities for which the vendor had already created and published a patch.

    If you can accept this rather obvious observation, and you can believe that the trend will continue, then it is a very small logical step to conclude that it is overwhelmingly in everyone's best interest for vendors to have a reasonable opportunity to create and publish patches before details of new vulnerabilities are publically announced.

    But there is no proof, only a well established trend. So you, supposedly a system administrator, would rather see immediate public disclosure. I'm sure that will appeal to your emotional well being... not being kept in the dark. It will also mean, that as a system administrator, you will need to make temporary workarounds (which often times means shutting off the affected service), while you then wait, with a greatly increased probability of attack attempts. But it will appeal to you emotionally, making you feel better that the vendor got their "feet held to the fire". That ought to make up for the extra time you'll spend implementing the workaround and interfacing with all your users and managers and explaining to them why a service they depend upon (and consider your job to keep operational) is not available temporarily.

  • by PaulK (85154) on Saturday November 29, 2003 @10:46AM (#7587460)
    Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up.

    Have you seen what happens to people who report security issues to MS? Follow the full-disclosure and bugtraq lists sometime; you will be astounded. MS repeatedly ignores reports until there is an exploit. They have gone so far as to lock hotmail accounts of people reporting issues.



    They have repeatedly demonstrated a knee jerk reaction to deny problems until they're public, at which point they announce that they've been working been on it all along.

    Honestly, with their resources, they could give Linux a serious run on patch speed, but only if they change their mindset first.
  • by toddler99 (626625) on Saturday November 29, 2003 @10:55AM (#7587497)
    Whos forced to use IE. Last time i checked
    I can use whatever browser I want and when someone
    or some website tries to force me from using
    their product because i'm not using IE i can
    always work around it. So, why is it everyone
    always believes they are forced to use IE. Its
    a shitty browser simple solution stop using it.
    move on and be happy.
  • disclosure (Score:5, Interesting)

    by Tom (822) on Saturday November 29, 2003 @11:02AM (#7587524) Homepage Journal
    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    Guess you would've preferred that he either:

    a) keep it to himself and use it to root your box
    b) tell M$ about it, who will as usual drag it out for a few months before even acknowledging that he found a problem.

    If you were reading any of the security mailing lists, you'd know that the general experience researchers have with M$ is that it's a big waste of your unpaid time to contact them.

    Frankly, if they neither pay you nor treat you with some courtesy, then why exactly should you bother?
  • by Anonymous Coward on Saturday November 29, 2003 @11:08AM (#7587554)
    Millions of people forced to used Microsoft products.... oh what imagery that conjures up. Think Indiana Jones for a second.

    I use IE every day of the week and I have done so for years and years without ever a problem. No one has forced me to do so, I'm well aware of alternatives, it's been my choice to do so.

    Google is highly revered by the /. crowd, right? What is the only browser Google has developed their toolbar for?
  • by jridley (9305) on Saturday November 29, 2003 @11:15AM (#7587587)
    Well, the "real programmer" parent is being pretty naive in regards to Microsoft.

    Certainly, he's right, IN THEORY. However, the truth is that people come to RELY ON undocumented behavior in Microsoft APIs. When you do something under the hood that changes one undocumented behavior to another, you stand a chance of breaking things that a programmer wrote, intending to take advantage of that undocumented behavior.

    Sure, you can blame the 3rd party programmer for trying to use an undocumented behavior.

    But guess what? You can't write serious apps for the Microsoft platform without bumping into undocumented behavior, or behavior that is DIFFERENT than what is documented as "correct."

    I work on a mature, very large, vertical market product that runs under Windows. Our programmers sometimes have to spend timeblack-box testing some API to find out how it REALLY works, as opposed to how Microsoft says it's supposed to work.

    And guess what? Next service pack, it might just break our code. What is our recourse? Why, to fix OUR BUG, of course. Obviously it's OUR BUG because it'd be silly to claim that MICROSOFT was at fault.

    The truth is, Microsoft does regression testing against THEIR *CURRENT* software. You can tell because when their service packs break 3rd party software, it never breaks MS Office. This is what leads customers to think that obviously it's OUR problem not Microsoft's.
  • by back_pages (600753) <back_pages&cox,net> on Saturday November 29, 2003 @11:28AM (#7587657) Journal
    I have had success getting people onto Firebird by explaining how ActiveX exploits work and exactly how people get software like GAIN/Gator, Bonzai Buddy, NewDotNet, CometCursor, Weather Bug, Precise Time, etc., and that these programs main objective is to gather information about the computer user and return it to corporate headquarters where it is then used to generate more and more pop up advertisements for the user.

    Everyone is shocked that these programs are not designed to do them a favor. They're disguisted that this is the cause of yet more pop up advertisements.

    I then tell them that Mozilla/Firebird is NOT being developed with corporate dollars and therefore has the user's interests at heart. It does not include the ActiveX or thousands of other unfixed security flaws, and you will honest to God never see a pop up advertisement again in your life. The tabbed browsing, type-ahead link find, slash page search functions are all icing on the cake.

    I have switched at least ten people this way, none of them are computer people. Fraternity girls, seniors, parents who just want to check their email, etc.

    Also, Thunderbird is a marvelous replacement for Outlook if all you want is an email client. It usually only takes one virus infection, formatted disk, and complete reinstallation to get people off of Outlook forever and ever and ever. I would think that alone is alarming enough to people at Microsoft, but I haven't seen any indication that they're going to try to produce software that's more useful to users rather than bad guys. It's truly baffeling.

  • by focitrixilous P (690813) on Saturday November 29, 2003 @11:33AM (#7587680) Journal
    heh, Firebird should grab them for you. At least it did for me. Puts all your old links into an imported IE folder. So switch already, you open source n00b!
  • by kobotronic (240246) on Saturday November 29, 2003 @11:42AM (#7587720)
    Really! There's been like a thousand holes in IE over the years, they keep coming with no slowing down or eevn trending towards end in sight.

    Those stupid enough to continue using that piece of garbage or any other microsoft software for "secure" applications, are getting it up the ass exactly like they asked for. The only people I see with desktops infested with bonzo and popups and spyware are retarded IE sheep anyway. The comments from the poster of the article just make me laugh. Security from obscurity isn't! The more exploits the better, the sooner people will be forced to switch.

    Go open source, go with glass box solutions.

    There's absolutely no reason to continue using IE, it's not as if you have to visit the few websites refusing service to other browsers. Refusal of service to other browsers only indicates incompetence - who'd make business with such a company anyway?
  • IHBT (Score:1, Interesting)

    by Anonymous Coward on Saturday November 29, 2003 @11:50AM (#7587758)
    I use IE every day of the week and I have done so for years and years without ever a problem. No one has forced me to do so, I'm well aware of alternatives, it's been my choice to do so.

    Go take a statistics class. One datapoint does not a statistic make. So (to put it in words you can understand) just because YOU haven't had any problems doesn't mean that there aren't any.

    Google is highly revered by the /. crowd, right? What is the only browser Google has developed their toolbar for?

    Maybe Google only developed the toolbar for IE because the rest of the browsers already had the features that the google toolbar introduced. Have you even used Mozilla? Or looked at mozdev? Being aware isn't being knowledgeable. Mozilla supports google searching out of the box. Multiple toolbars are available at mozdev.org. To reiterate, say again, and maybe pound it into your skull, the Google toolbar provides some lacking functionality in IE.

  • by jafac (1449) on Saturday November 29, 2003 @11:57AM (#7587781) Homepage
    Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...

    I really wish someone had done a study, or that there was data somewhere to back that up. Sure, we've got a buttload of anecdotal evidence, but has anyone ever done a study of "average time to fix an exploit once discovered" by Proprietary Vendor versus Open Source?

    Such a study would be MOST enlightening.
    And greatly help some of us win arguments against Microsoft zealots.
  • by Raindance (680694) * <johnsonmx@NOsPaM.gmail.com> on Saturday November 29, 2003 @12:02PM (#7587802) Homepage Journal
    While I agree with what most folks are saying about the security researcher not following proper exploit discovery etiquette, keep in mind (and this is not flamebait),

    He *is* from China, the country who is so frustrated by Microsoft that it's making its own, full-scale flavor of Linux. The country who may see most of the Western, MS-using world as a competitor. A country so big yet secretive that security practices may be subtly different over there.

    Disappointed? Sure, you can be disappointed in how this went down. Though it may be an apple judging an orange.

    Surprised? I don't think you have the right to be surprised.

    RD
  • by JInterest (719959) on Saturday November 29, 2003 @12:36PM (#7587961)

    You may be right, but it still doesn't change anything. I think this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.

    Given that threats of litigation may be less expensive than fixing the endless supply of security holes in proprietary software, and the litigious character of American business practices, I'm not convinced.

    A researcher who contacts the vendor and then releases information on the security holes later may be accused of extortion, as has happened to at least one Italian security expert. It isn't worth it.

    From the point of view of making these exploits known so that they can be fixed, while also protecting one's self from charges of extortion, simply releasing the exploits on public forums -- and thus forcing the vendor to do a quick fix -- may be the lesser of two evils, if not the optimal solution.

    I will say that I think this is probably an appropriate approach only when dealing with commercial entities, particularly known "bad actors" like Microsoft whose responses might be driven by marketing rather than by a desire for technical excellence. For open-source or community projects where volunteerism of any kind is encouraged, letting the maintainers know about the problem first is the better choice, if only because the risk of any litigation is pretty minimal.

  • by Darren Winsper (136155) on Saturday November 29, 2003 @12:53PM (#7588054) Homepage
    Actually, you're wrong. I could do an "apt-get remove konqueror" and my KDE apps would still work fine.
  • by Anonymous Coward on Saturday November 29, 2003 @01:11PM (#7588156)
    Thank you mods for moderating this +5, Interesting. Obviously, you didn't bother to look for the patches (which are, of course, non-existant).
    But here's the REAL kicker. What if the story was about Mozilla bugs and the guy posted this:

    Subject: Just downloaded the Mozilla patches

    Comment: I just downloaded the latest Mozilla patches this morning and now Mozilla wouldnt even start....its doing nothing. Time to move my bookmarks to IE....tonight.

    Would this have gotten a +5, Interesting? I THINK NOT!
  • by Ridgelift (228977) on Saturday November 29, 2003 @01:21PM (#7588214)
    The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

    That was my initial reaction too, but then I asked myself why? Why must the manufacturer be notified first? All Linux expolits are announced publically aren't they? Or am I mistaken? If defects in Linux can be made public and fixed quickly, why can't commercial software be done the same way?
  • A better question (Score:2, Interesting)

    by bonch (38532) on Saturday November 29, 2003 @02:09PM (#7588423)
    Will Slashdot report it if it does?

    All signs point to no.
  • by menscher (597856) <menscher+slashdot&uiuc,edu> on Saturday November 29, 2003 @04:20PM (#7589052) Homepage Journal
    Assuming the article is referring to the Bugtraq post by Liu Die Yu of Nov 5, it's perhaps worth noting that he said, in his post:
    This attack is possible partly because of the bugs in Internet Explorer which remain unfixed. The oldest of these bugs is almost two years old.
    There was nothing to notify the vendor about. The vendor had already been informed.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...