4 New "Extremely Critical" IE Vulnerabilities 1081
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
Black Tuesday? wth? (Score:1, Interesting)
"Trusted Computing" (Score:5, Interesting)
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
Mainstream Media (Score:5, Interesting)
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
IE Developers (Score:5, Interesting)
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Excuse me while I cry... (Score:5, Interesting)
Ok I'm through crying now Microsoft hear my pleas....
No Surprise (Score:4, Interesting)
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
yeah, yeah. (Score:2, Interesting)
I don't feel sorry for people who work at Microsoft. They are well compensated for the suffering they inflict.
Security as a selling point (Score:5, Interesting)
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Re:No Surprise (Score:5, Interesting)
If you ask me, that's something people should be working towards.
Re:Why don't... (Score:5, Interesting)
IE is lacking in functionality compared to Mozilla, and the MS development cycle is inadequate to respond to this type of problem, IMO--but the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords.
Alternative Browser Security Question... (Score:2, Interesting)
Re:Mainstream Media (Score:2, Interesting)
The bottom line. (Score:2, Interesting)
There is nothing to stop you running Firefox fully pre-loaded from boot-time.
Re:At what point... (Score:5, Interesting)
Netscape 4.x and older wasn't modular enough to embed in their client.
The Mac OS X version does use the Gecko rendering engine (which ain't 'Netscape' it's just the rendering engine) and Compuserve also uses Gecko.
But AOL has been IE based since they moved away from thier own browser.
My company has one clients who refuses... (Score:5, Interesting)
Re:No Surprise (Score:2, Interesting)
pot calling (Score:1, Interesting)
Re:Mainstream Media (Score:5, Interesting)
Unfortunately we live in the real world. If Micorsoft kept getting large amounts of bad press every time it announced a new exploit it would try even harder to hide the flaws instead of releasing a fix.
Re:Obligatory FireFox Boosterism (Score:5, Interesting)
Re:Obligatory FireFox Boosterism (Score:3, Interesting)
-
Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now.
I'm sure I'll be hated for saying this but I can't stand FireFox from a UI standpoint. I've tried it several times, last time was just a week or so ago. I spent well over an hour getting it installed with all the extensions I needed (the first try it died on installing multiple extensions at once, I had to do an uninstall/reboot/reinstall and start over and install them one by one). Then I find that I can't tell what tab's what since the text it used for them was too big (and I never found a way to change it, even in the extra options extension). I was willing to work around that but when I discovered that the Tab Browser extension wouldn't keep my tabs ordered I just gave up. Perhaps Opera may be better suited for me, but right now for me personally FireFox's UI is a looooooooong way off from the IE browser wrapper I use (Maxthon, formerly MyIE2).This isn't meant as a troll, it's meant to prompt some serious thought. I'm a SysAdmin and I even had promblems in the install process (with extensions granted, but that's more than enough to kill off your average joe-user). If we really expect people to give up IE and all the asundry wrappers for it the UI in FireFox must be as good as, or better than what they have now. Otherwise they're not going to switch.
I'll give Opera a whirl when I have time but I'm still using Maxthon, most things in IE disabled or set to prompt to protect me. I also use BHO Demon to watch for attempted BHO hijackings. Frankly it's annoying but it's still far more useable than FireFox was for me.
Even MS Fans Are Switching (Score:5, Interesting)
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
email to family members (Score:5, Interesting)
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Perfect Exploit (Score:5, Interesting)
Anyone know of one? The terms are too generic for a quick google.
S
Re:Alternative Browser Security Question... (Score:4, Interesting)
First off, as soon as an exploit is found, anyone can fix it. You don't have to wait for your manager to assign the task of developing a fix to you, develop it, send it to testing for a month of evaluation, then work with marketing to schedule it's release. In most cases a fix will be out the next day.
There's also the fact that increased market share for competing browsers reduces the incentive for creating viruses, trojans, etc. Say I'm a spammer, crime lord, activist, script kiddie, what have you. If I can develop a program that will allow me to infect 95% of the worlds PCs well, that's pretty cool. But if Moz/Firefox has 23% market share, Opera pulls another 14%, Safari/Konqueror back that up with 17%, and others grab 6%, That 95% of PCs I could infect developing an IE exploit drops to 40%. The incentive is nowhere near as great. Security through obscurity is a beautiful thing.
"Trusted Sites"... (Score:5, Interesting)
Re:Doomed release (Score:1, Interesting)
It's time to go back and review all of those MS-funded studies over the past few years that showed Windows with a lower TCO than Linux. How far off were their estimate for the cost of dealing with malware?
Secunia are making money off other people (Score:1, Interesting)
1-3) Discovered by Paul (greyhats).
4) Originally discovered by Georgi Guninski.
G.Guniski advisories are protected and copyrighted for the simple reason that companies like Secunia are reproducing their advisory and making money from it. They even steal the glory in news and look like the serious company reporting the problems. The reality ? They know nothing special about security, they are here for buisness and communication.
This sucks, and anyway using G.G. discovery (under explicit non-redistribution copyright) is probably illegal.
And funny to have a discovered by XXX *AND* *ORIGINALLY* discovered by XXX.
They pretty well know that the original discovered is the only one whom can be called the discoverer, don't they ?
Re:Be Fair! (Score:2, Interesting)
Does it really matter (in this specific case) if IE was integrated?
It seems that, [1] could potentially work in other browsers with JavaScript support; [2] is unclear, and I can't find the example they're talking about; [3] is plain bad security checking; [4] is by design - whether the design is good is something else entirely. But none of them really depend on what OS you run on (assuming IE runs).
So I've been contending (Score:4, Interesting)
Then last week the shell: bug in Mozilla was reported, and I was humbled. Perhaps, I thought, perhaps Mozilla wasn't really all *that* much better than MSIE, and I was being silly by my stance that MSIE was an unsafe product and Moz was a safe product. Maybe, I thought, trusting any software vendor is just as silly as trusting Microsoft.
Then I see this news today and I don't feel so humble anymore.
One thing I found odd, though. I haven't done a close study or anything, but when the mozilla vulnerability was found last week, it was very widely reported. I saw it at least twice on news.google.com and I believe on cnn.com. But with these new IE vulnerabilities? Well, maybe it's just too soon, but cnn.com has nothing on this-- it does have a story "renewed calls for alternate browsers" which mentions in the second paragraph two IE bugs that MS fixed already-- and news.google.com has nothing. And n.g.c's top tech story?
Microsoft CEO Touts Security Push at Conference
Reuters - 55 minutes ago
SEATTLE (Reuters) - Microsoft Corp. MSFT.O is taking a big step toward boosting the security of its flagship Windows product in August with the release of a major software update, Chief Executive Steve Ballmer said on Tuesday.
Monoculture results in Potato Famine (Score:2, Interesting)
Payback is a bitch no? Sure they got a little paddle on the backside and a, "Don't do that again" over their monopolistic practices, but here we are, seeing the karma swing around to bite them in the ass.
Hopefully this stuff will continue to the point where we can get the ball rolling again. Yet another big moment for open source software to try to swing in and become a viable alternative. Especially considering the fact that firefox is just an application and not a whole OS, which can be a scary leap for many to attempt an install, it might really open some eyes to what could be.
RALLY!
m.
Education is needed (Score:3, Interesting)
Not true - there was an AOL/Linux on netscape... (Score:4, Interesting)
http://msnbc.msn.com/id/3078317/
Re:IE bugs and phishing (Score:1, Interesting)
Give IE some credit... (Score:5, Interesting)
Re:IE is NOT a web browser (Score:4, Interesting)
"explorer.exe" - 980 KB
I'm fairly certain "iexplore.exe" is just a stub that launches "explorer.exe" on Windows XP systems. I think the two were distinct back in the Windows 95 days, but now they launch basically the same code.
As means of comparison, "firefox.exe" weighs in at 6.27MB on Windows, so it's fairly safe to assume that most of the Internet Explorer and Windows Explorer functionality is hidden away in miscellaneous libaries. (Like the ever-popular "mshtml.dll," which comes in a 2.66MB.)
As an example, I took the Explorer window I was using and checked the "About" dialog, it said "About Windows." I then entered "http://slashdot.org/" into the address bar, and rechecked the "About" dialog, and got "About Internet Explorer." I'm fairly certain that while there is an "iexplore.exe" file, all it does these days is launch "explorer.exe" with the options to make it act in "web browser" mode.
Windows patch 841873 disabled Mozilla Firefox!!! (Score:4, Interesting)
zerg (Score:4, Interesting)
Thanks, Microsoft! (Score:2, Interesting)
Oh, and that last poll? -20%
Re:runas is crap (Score:3, Interesting)
I don't like runas becuase you can't use it for setuid or make the password a command line parameter. Here [espci.fr] is a tool that does that.
Re:Be Fair! (Score:3, Interesting)
When I was making it, I started to try to find out the best way to do it. I quickly found a way in IE to build it extremely easily. I could take advantage of some IE style property that would let me make the div act like a scroll box kind of thing. Where I could very easily scroll up and down.
Then I found out that this was only a IE style, and not w3 compatible. So then I had to resort to a nasty way of making the div act like a mask, and that as you scrolled down the mask would move down and then the div would have to move up. This is accetable, but it just nasty.
Anyway, my point is that, IE's addition to w3 style properites was actually easier to use then a w3 method.
Another point where there is discrepincies, is if you have a table cell with the style: style="border: 1 solid #000000; width:100px;" In IE that cell will have a width of 100px, and a border. While in mozilla it will put the border on the outside of the cell. So it's actual width will be 102px;.
ok.... now I'm ready for hate mail.
-asoap
Ps: I do prefer firefox to IE. I just have to develop for what most of the world uses.
Re:simple answer (Score:3, Interesting)
Re:you need a history lesson (Score:3, Interesting)
My point above is that the original poster's assertion that big, bad Microsoft "requires" users to run as Administrator is patently false. It is due to poor programming on the part of ISVs that developed commercial desktop products. That's a problem Linux would be lucky to have. Suddenly you're talking about the GUI and Kernel Components?
Well fine. I'll challenge you on the Kernel too. Ah yes, lets start with the "setuid bit". Now there's a fine security model.
Or let's talk about NIS and NFS. Are these representative of high security? Pulease. This system believes you are who you say you are just because you say so!
Or how about the User/Group/World permissioning structure? How flexible! Couple this with the 16/32 group limit of the Kernel and you've got a really scalable system for applying security to files.
I have to give you credit -- these mechanisms sure are "clean and simple". But here we are 20 years down the road, and security Access Control mechanisms are a shambles in Linux.
Re:Be Fair! (Score:5, Interesting)
Style property "position:fixed;"
I want you to make a div that stays put on the page where you put it, and doesn't jump up and down on a page like a jumping bean when you scroll. It's easy enough in Opera/Mozilla, where the fixed position is supported. But IE doesn't recognize that attribute, so it sets the position to static. How then are you going to do it?
This problem took me almost 2 days of work to get working in IE. I had to create a toolbar for the top of a page that would scroll. I eventually found a few CSS hacks to do it, and it works great, although it does crash IE if combined with some other scripts, so it's not perfect.
My point is that while you have demonstrated one specific case where IE makes development a little easier, I think on the whole, the W3C methods just make life much easier than some de facto standard that Microsoft thought up on the spur of the moment. I code to standards because I prefer to write code that isn't bound to one specific version of one particular browser.
And if you check the specs of borders according to the W3C recommendation, you will find that Mozilla is behaving appropriately in the case of the table border. IE is in error. (However, the problem might go away in IE if you use aren't in quirks mode. (ie. use a correct doctype))
Once again, I regret posting in this discussion, as I would have loved to mod you down for being blatantly wrong.
Re:At what point... (Score:2, Interesting)
It wasn't very widely used, but they did make it. I beleive it was about a year and a half or two years ago.
http://news.com.com/2100-1023-860710.html
jaz
Re:Be Fair! (Score:2, Interesting)
ouch baby... that hurt.
I was participating in a creative discussion. The parent post asked for an example of IE being better then Mozilla, which I attempted to provide. I actually do believe that Mozilla is the better browser. So ease up on the anger.
BUT the issue is that most of the world DOESN'T USE MOZILLA, they use IE. Will you make a website that looks wrong but is still works with w3c standards... But that 95% of the world will not see properly!?!?!
When I develop, I mainly develop in IE, because that's what most people use, yet I do keep mozilla open to make sure stuff works in there. But I do IE as a default, because if I'm in a rush, there is a chance it might not work in moz.. But I will still feel safe knowing that 95% of the people will be able to see it. BUT if I used Moz as my default ( as I would actually like to ) and was rushed, and made a mistake that I wouldn't notice unless I loaded it in IE to find out it was busted. I would run into trouble because almost everybody that viewed it woudldn't be able to!
But yeah, we've run into that "position fixed" issue also, and I totally agree with you. I would much rather that everything was the exact same. Although, no matter what, it doesn't look like that is going to happen. That style border, is an exact reference. It's a w3 standard, and both browser's support it. It's just that ie messed up and made it apply to the inside rather then the outside. We will always have those kinds of differences.
-asoap
Re:you need a history lesson (Score:3, Interesting)
Microsoft has done many things. Microsoft's poorly thought out, corner-cutting APIs are their historical APIs, what made them grow fast and successful initially. Since then, they have hired a lot of smart people and they have gotten better. Of course, Microsoft's costs and time-to-market have skyrocketed correspondingly, so they are now as slow as everybody else. Microsoft is now at grave risk of being eliminated by a new, fast-moving, corner-cutting competitor without backwards compatibility woes, just like they themselves used to be. And there is nothing they can do about it.
Note, incidentally, that Mono's implementation of the
Or let's talk about NIS and NFS. Are these representative of high security? Pulease. This system believes you are who you say you are just because you say so!
First of all, you have to separate APIs and implementation. NFS was quite clearly a poorly designed system, but it didn't introduce any new APIs that application developers had to deal with. Furthermore, NFS's poor design is a testament to Sun's incompetence; the UNIX designers didn't have anything to do with it and they seemed by and large pretty annoyed at what Sun and Berkeley had done to UNIX in general. But the fact that NFS's poor design didn't affect UNIX application programmers significantly in the long run remains a testament to the soundness of the UNIX design philosophy.
Well fine. I'll challenge you on the Kernel too. Ah yes, lets start with the "setuid bit". Now there's a fine security model. [...] But here we are 20 years down the road, and security Access Control mechanisms are a shambles in Linux.
I'm sure lots of people at Microsoft think the same way, and that's just fine as far as I'm concerned.
Re:Built one of these, have you? (Score:3, Interesting)
Any more examples of one dev browsers?
Re:Built one of these, have you? (Score:3, Interesting)
Re:Built one of these, have you? (Score:3, Interesting)
Security always seems to take a back seat to features with MS and that is the core problem with IE.
I promise this is my last time posting this tired comment for this summer: the core problem has nothing to do with security vs features. I am quite certain, that given enough time, MicroSoft will release a great browser. I recall a short period of time when IE was way better than Netscape. Plans for Windows SP2 look promising -- which is a good thing. I am certain that for a long period of time MicroSoft will try to maintain a top notch browser. Features will outweigh security, then security will take precedence, then features, etcThe core issue is that no one other than MicroSoft has control. Analogy time, I guess. Does everyone in the world want to remain the skinny dork who gets beat up by the bully? MicroSoft can do what ever they want. They will bend a bit here and there, but for the most part, everyone is at their mercy. "Give me your homework or I'll punch you in the nose" could be the MSFT motto. Of course, even the bully has to be nice once and a while, or face rebellion. Are you smart enough to see that you are being played? Are you happy being the gutless sissy?
I know most people are happier in the submissive role. Great. They will be mildly content with anything given them. You can give them closed source and continue to make others suffer. Or give them open source, and help allow your like minded individuals flourish.
Re:Sucks to be them (Score:3, Interesting)
plan better? How about think a little. I once worked in a place where all the engineers had unix (solaris) workstations on their desk. About 1/4th had a windows machine. A new engineering app was built from the ground up that only ran with IE on windows! (I tried it with the solaris version of IE, didn't work)
When IT learns to think let me know. Until then planing won't help.