4 New "Extremely Critical" IE Vulnerabilities 1081
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
Re:Black Tuesday? wth? (Score:5, Informative)
http://mutualfunds.about.com/cs/1929marketcrash/a
"Black Tuesday is notorious for being the worst day in the U.S. stock market"...
You didn't even try, did you?
Interesting... (Score:2, Informative)
"Solution: Disable Active Scripting. Use another product."
Re:Black Tuesday? wth? (Score:5, Informative)
IE SP2 RC2 is not vulnerable (Score:1, Informative)
Re:Obligatory FireFox Boosterism (Score:2, Informative)
Are the Browser Wars Back? [msn.com]
Re:At what point... (Score:4, Informative)
Re:Hmmm.... (Score:3, Informative)
Mute? Dontcha mean "moot"?
Re:IE SP2 RC2 is not vulnerable (Score:5, Informative)
Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.
*ahem*
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).
Re:Black Tuesday? wth? (Score:3, Informative)
W3schools isn't indicative of the entire web (Score:5, Informative)
If you want a better general representation of the web, Google's Zeitgeist web browsers graph [google.com] (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.
Re:Interesting... (Score:3, Informative)
Re:At what point... (Score:5, Informative)
Re:Hmmm.... (Score:2, Informative)
how about "for all intents and purposes" instead, Chuck?
(double checks his post for mistakes)
Re:Solution: (Score:5, Informative)
This effectively emulates the domain-specific Javascript settings in other browsers.
Re:Solution: (Score:3, Informative)
Re:Interesting... (Score:3, Informative)
It's sad that the only thing I use IE for is to download security updates for IE.
Re:Obligatory FireFox Boosterism (Score:4, Informative)
IE bugs and phishing (Score:4, Informative)
The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now [jenseng.com]. Initial [securepoint.com] reports [webhostingtalk.com] of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.
Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.
I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...
Re:Alternative Browser Security Question... (Score:5, Informative)
Re:Solution: (Score:1, Informative)
Re:surprise (Score:3, Informative)
Re:Is it just me? (Score:2, Informative)
Re:Solution: (Score:1, Informative)
All OSes are not the same (Score:3, Informative)
That's exactly the argument that Microsoft apologists have been using for years. But just because Microsoft products are more pervasive does not mean that they are just as secure as Linux, OS X, et. al..
In point of fact operating systems are not all the same. Some sacrifice security for flexibility or features (ex: Windows). Some eschew clever new features and integration in favor of security (ex: OpenBSD).
Microsoft's development methodology for years was built around increasing the featureset of the Windows OS and Office suite. Marketing drove development of the OS, and development priorities were established accordingly.
Are Yugos as safe as Volvos? Do MiG-29s carry as many passengers as 757s? Software is designed, and in any design process you have to make trade-offs. Microsoft has repeatedly shown us what their design priorities are, and the fact that Microsoft products are ubiquitous doesn't mean that some competing OSes are not inherently easier to secure.
Re:Does this affect the mac version as well? (Score:3, Informative)
Re:Obligatory FireFox Boosterism (Score:5, Informative)
He starts off by saying the cache folder is known - actually the folder name has random characters (last 3 in Firefox, first 8 in Mozilla), so that's not true - you have at best a 1 in 17000 of guessing it.
Then he talks about the user opening file:// URLs - what would cause the user to do that? If you have to tell the user "please type this URL into your address bar", that's not much of an exploit. Links to file:// URLs from http:// URLs don't work.
And as someone else pointed out, the script running in a page from a file:// URL has pretty much the same permissions as a script running in a remote page anyway - there is no "local zone" concept in Mozilla/Firefox.
Certainly sounds like there may be a bug or two described there, but I don't see an exploit.
Re:IE Developers (Score:1, Informative)
Microsoft is the largest user of H1B's in the US. They also structure their company around independent contractors who are only allowed to work enough each year to make sure they are ineligible for benefits. Makes for a truly motivated and competent work force, wouldn't you say?
At the same time, you must have noticed that many, many of the discovered IE vulnerabilties were associated with integrating the browser into the OS. This was based on political, not technical reasons, and then rushed through in such a hurry that it was poorly implemented and thought about not at all.
And then we have direct quotes from Bill Gates, the founder of Microsoft, that detail his concerns about software quality: There are no significant bugs in our released software that any significant number of users want fixed.
All of Microsoft's problems start at the top.
So I hate to have to do this. Really. (Score:5, Informative)
There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.
No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.
We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.
Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.
Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).
Thanks,
The Internet
Re:An Aura of Joy (Score:2, Informative)
The word you are looking for does not exist in English, but in German they say Schadenfreude. It is a sort of malicious glee at the misfortunes of others. It can also contain an element of "I told you so".
Re:IE bugs and phishing (Score:2, Informative)
Here's more [securiteam.com] on that. This article outlines how the vulnerability can be used to spoof the entire screen, this making everything suspect.
They've even got a sample exploit [doxdesk.com] for you IE users. An ActiveX dialog pops up and is made to appear innocuous through the exploit (drag the dialog box and you'll see). This one is harmless, but it gives you an idea of the danger.
Here's something that bites... (Score:4, Informative)
Since most sites use at least some amount of Javascript and Flash (e.g. gmail), you're left with these choices...
* Turn off all scripting
* Take your chances with Microsoft's flaws
* Deal with the annoying 'prompt' for just about every page
* Manually configure the pages you want as trusted sites
Boy, I wish there was a selection that said...
"Disable all Microsoft(R) Web Technologies"
Re:No Surprise (Score:3, Informative)
There's the Mozilla ActiveX Control [www.iol.ie] which sounded like the thing to run ActiveX in Mozilla, but it's really a thing to control Mozilla with ActiveX.
And there's this IEPatcher [aab.spin.ee] thing which seems to already be able to patch an IE-using program to use Mozilla. Proceed at your own risk, of course.
I agree that an official Mozilla open source drop-in DLL would be nice, but I just wanted to point out that it looks like some people are working towards what you suggest.
Re:IE is NOT a web browser (Score:3, Informative)
For games that "require" Administrator access, I just use a no-CD crack. The only reason that games ever require Administrator-level privledges is for incredibly poorly-designed CD-checking systems (and as there are CD-checking systems that don't require Administrative access, like that used with Unreal Tournament 2004, there is absolutely no excuse for it anymore).
I don't know about Palm sync, but my boyfriend uses a Palm and he's something of a Windows 2000/XP security nut. I'll ask him, because he's very big on not running as Administrator unless absolutely necessary.
2. I don't want to have switch user each time I need to do an administrator-level activity -- particlulary since brain-dead windoze takes a minute or more to do this even on a fast machine.
Solution: right-click on icon, choose "Run As". If "Run As" does not appear, hold "Shift" and right-click, and it should appear. I run Windows Update while logged in via my standard user account (Power Users group) through this method.
The Palm hotsync solution (Score:5, Informative)
The solution for Palm hotsync:
Give the user Administrative-level access.
Install the Palm software.
Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).
Remove the user from the Administrators group.
Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.
Re:"Trusted Computing" (Score:4, Informative)
Re:"Trusted Sites"... (Score:3, Informative)
Re:Built one of these, have you? (Score:5, Informative)
Re:runas is crap (Score:1, Informative)
I just tried "runas /u:Admin explorer". It promted me for a password, and then created a new explorer process running as the user Admin.....You could also start a command prompt and run explorer from there.
You have a user named Admin or did you mean the Administrator? Here's what happens when I run the exact same thing you put here (except as Administrator) from a cmd window:
C:\>runas /u:Administrator explorer
Enter password for Administrator:
Attempting to start "explorer" as user "Administrator"...
C:\>
NOTHING. Thats what happens. Not a damn thing appeared.
It worked from xpsp1 and 2ksp3.
This is win2k SP4.
runas is crap. Doesn't even compare to su, which works identically across the 4 different *nix OS's that I admin. Even if runas does work for you, it still doesn't work here. Which I found is typical in windows, such as vbs. The same damn code and scripts don't run the same way on different machines, even though they have the same exact versions of the OS and VBS/WSH
Fasten seatbelts? (Score:3, Informative)
Honestly, anyone who is still using IE on Windows can't be in his/her right mind.
Re:IE is NOT a web browser (Score:2, Informative)
Re:No Surprise (Score:1, Informative)
http://www.crackbaby.com/article.php?si
How to Remove Internet Explorer
Posted on Thursday, July 08 @ 08:40:23 PDT
Ok, this story is for you geeks out there that actually know what you are doing. It requires editing of your registry and should not be done by anyone who doesn't know what they are doing.
This will effectively neuter IE on your system and divert all shell calls to IE to your alternative browser. Read on for details...
The other day I brought alot of your attention to the an exploit being used with the SCOB exploit that causes hackers to be able to execute arbitrary code on your system. This is the exploit that caused every security agency including CERT and homeland security to say 'dump IE'. I called Microsoft tech support and called and called and no one knew how to disable Internet Explorer or would even help me to do it without badgering; even then, they couldn't figure out how to do it. This is why they get paid the big bucks. So I decided to see if I couldn't figure it out myself.
Since you cannot remove IE from the OS, you have to disable it in some way or make it so that it can't be accessed via shell (not going to happen). Well after some experimentation of my own and reading through the registry diligently, I have your answer:
1. If you do not have IE 6 installed on your machine, install it using Microsoft Update. Reboot
2. Go to add/remove programs in control panel. Remove IE. Reboot.
1. after reboot it will ask if you want to get rid of your settings. Just say yes or else it will ask indefinitely.
3. Backup your registry
4. Do a search through the registry for 'iexplore.exe' and 'url.dll'. Replacing HKEY_CLASSES_ROOT instances of these two with the path to your alternative browser seems to do the trick. I now have all my other Microsoft apps that would normally call IE, now calling Firefox.
For instance, I have Mozilla Firefox as my alternate browser so I replace with the following:
open/command -> C:PROGRA~1MOZILL~1FIREFOX.EXE -url "%1"
DefaultIcon -> C:PROGRA~1MOZILL~1FIREFOX.EXE,1
If you don't have a good registry editing tool, I suggest JV16 Power Tools. A very good program for editing and cleaning the registry as well as several other nice tools. Plus it has a 30 day trial period enabling you to use it for this task though I do suggest purchasing since it's a great tool
After this is all done, it works beautifully and I haven't had a single problem. This is not a simple solution but it is effective. You may want to experiment a bit more by searching through the registry for instances of Iexplore and tweaking HKEY_LOCAL_MACHINE as well but the above should take care of security concerns which is all we are worried about.
For those non-techies out there who don't feel up to this task, there is an easier way to avoid this problem... switch to Linux.
NOTE: I should also mention that because the system will always attempt to recreate IE, when it does using the default installed browser that is integrated into the system, do the following:
1. got to c:Program FilesInternet Exporer and right click on Iexplore.exe
2. Go to properties/security (make sure you are logged in as admin of the machine)
3. Remove ALL permissions!
This will effectively make it so that the system cannot call the program and in alot of instance, I have found that if it cannot open Iexplore.exe, it will ask you for an alternative browser to use.
Re:Give IE some credit... (Score:3, Informative)