IE Flaw Gives Hackers Access To User Files 259
snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."
*sigh* ... blame Netscape. (Score:3, Insightful)
Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.
This is bad. (Score:5, Insightful)
When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.
I wonder... (Score:5, Insightful)
Flawed (Score:5, Insightful)
an attacker may be able to access files with an already known filename and location
One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.
"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.
Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?
Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.
Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?
c:\Windows\System32\ (Score:3, Insightful)
WHY THE FUCK DO PEOPLE STILL USE IE? (Score:2, Insightful)
This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?
We KNOW it's full of holes. Not just small ones, but literally, gaping goatse-sized holes. This is a perfect example, to go along with the hundreds of other problems we know of.
There are so many alternatives today! We are living in a time of plenty when it comes to browsers. I mean, we have Opera that runs just about everywhere. We have Firefox if you want extensibility. If you prefer the feel of the old Netscape Communicator suite, there's Seamonkey. If you want a fast browsing experience, use Chrome or Safari or Konqueror.
Legacy ActiveX controls just aren't enough of an excuse these days. If you're still using that piece of shit "technology", then you need to get your network off of the public Internet. You and your network are nothing but a disaster waiting to happen.
Re:c:\Windows\System32\ (Score:1, Insightful)
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:2, Insightful)
Re:Flawed (Score:4, Insightful)
I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?
You mean like (Score:1, Insightful)
I'm really getting sick of this excuse (Score:4, Insightful)
Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"
Modifying hosts.txt (Score:2, Insightful)
Re:c:\Windows\System32\ (Score:4, Insightful)
C:\windows\system32\config\sam
Read-only access is all you need...
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:1, Insightful)
Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.
Re:c:\Windows\System32\ (Score:3, Insightful)
yeah, it's not like there are stored connection strings to databases ... um ...
Re:This is bad. (Score:3, Insightful)
Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.
Definitely! Reading everyone else's cookie is much more interesting than using an exploit to read your own cookies! :P
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:3, Insightful)
Re:Flawed (Score:3, Insightful)
C:\users\%USERNAME%\Documents anyone?
Hmm, how about the document search index? (Score:3, Insightful)
Because there isn't an easily found, well known file that is a handy index of all of the files on your system:
\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
http://en.wikipedia.org/wiki/Windows_Search [wikipedia.org]
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:2, Insightful)
It doesn't work like that. There are billions of sites on the internet. If your site doesn't work with them, they go somewhere else. And it would be quite stupid to ignore a browser that holds the largest market share. Sad, but true.
Re:WHY THE FUCK DO PEOPLE STILL USE IE? (Score:2, Insightful)
Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.
Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.
Re:This is bad. (Score:5, Insightful)
Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.
Re:This is bad. (Score:3, Insightful)
Re:Modifying hosts.txt (Score:3, Insightful)
http://www.microsoft.com/technet/security/advisory/980088.mspx [microsoft.com]
When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.
Oh, one other useful bit from their stie... that everyone should stop using IE. Now.
I'd also add to only run a browser that has something like NoScript available. Javascript is just chock full of vulnerabilities of its own. Any time you allow strangers to run code on your computer, you are just asking for trouble.
But by now that goes without saying, and I've already said it until I'm blue in the face, and I've given up. Don Quixote is cut out for that sort of thing, I'm not.
If you use IE in Vista or Seven, turn protected mode on. If you use IE on XP, load the file:// protocol fix outlined at Microsoft's site. Hopefully Microsoft will come out with a fix soon. Load it. Immediately.
This may not be a serious vulnerability, but the vector will surely be used for more serious ones real soon as the black hatted assholes figure out how to read your file index and get a list of files to choose from.
Re:I wonder... (Score:1, Insightful)
Don't worry, I was able to recover your password.txt files from the recycle bin.
Re:c:\Windows\System32\ (Score:3, Insightful)
That's not the case.
It's not like memory dumps don't ever get dumped there if you had an OS crash, and it's not like memory dumps would ever contain user data like user passwords. There's user data in there. Where does the REGISTRY get saved???
This is BAD.