Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Internet Explorer The Internet Security

Another Zero-Day IE Scripting Exploit 696

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
This discussion has been archived. No new comments can be posted.

Another Zero-Day IE Scripting Exploit

Comments Filter:
  • BugTraq (Score:5, Informative)

    by Mz6 ( 741941 ) * on Wednesday June 09, 2004 @10:47AM (#9377702) Journal
    Posted to BugTraq 6/7.. 2 days ago...

    Here is the BugTraq Archive [securityfocus.com] link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.

    • Re:BugTraq (Score:5, Funny)

      by IdleTime ( 561841 ) on Wednesday June 09, 2004 @10:55AM (#9377814) Journal
      Maybe I'm stupid, but what is IE?
      • Re:BugTraq (Score:5, Funny)

        by cardshark2001 ( 444650 ) on Wednesday June 09, 2004 @11:54AM (#9378633)
        Maybe I'm stupid, but what is IE?

        It is a virus used by terrorists. It stands for "Internet Exploder".

      • Re:BugTraq (Score:5, Funny)

        by mwronski ( 674652 ) on Wednesday June 09, 2004 @12:50PM (#9379338)
        IE == Infinitly Exploitable
      • Re:BugTraq (Score:5, Funny)

        by Kent Recal ( 714863 ) on Wednesday June 09, 2004 @01:00PM (#9379443)
        IE is the open RPC facility of MS Windows, similar to sun.RPC. In the early days it was shipped as a separate application. Starting with Windows XP/2000 MS decided to integrate it directly into the kernel. For the sake of convenience and performance Microsoft didn't bloat it with authentication or security features so when active basically anyone can remotely execute code on your machine in a comfortable drill&drop-fashion.

        Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.

        MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.
      • Re:BugTraq (Score:5, Funny)

        by dickiedoodles ( 728410 ) on Wednesday June 09, 2004 @01:20PM (#9379714)
        Maybe I'm stupid, but what is IE?

        Nah if you were stupid you'd be using it
    • Kudos to Norton (Score:5, Informative)

      by JMZero ( 449047 ) on Wednesday June 09, 2004 @10:58AM (#9377859) Homepage
      I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
      • Re:Kudos to Norton (Score:5, Informative)

        by JPDeckers ( 559434 ) on Wednesday June 09, 2004 @11:30AM (#9378266) Homepage
        Well, The demonstration is indeed blocked.

        But after reading the article, I tried the real installer URL, and, surprise, with Norton Antivirus (fully updated) the ad-bar WAS installed.

        As said in the article, due to various layers of encoding the javascript, detection is avoided.

        Ad-Aware luckely recognized all 34 (!!) regkeys, dll's etc.

  • by Mr. Sketch ( 111112 ) * <mister.sketch@nOSPAM.gmail.com> on Wednesday June 09, 2004 @10:47AM (#9377704)
    You can download a fix for this here [mozilla.org].
    • by TrentL ( 761772 ) on Wednesday June 09, 2004 @10:50AM (#9377741) Homepage
      Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here [spacerook.com].
      • by Mr. Sketch ( 111112 ) * <mister.sketch@nOSPAM.gmail.com> on Wednesday June 09, 2004 @10:52AM (#9377766)
        In that case it would be up to the network administrator to put secure software on the users machines. Why would they want to take such a risk by running Internet Explorer?
        • You can't be serious! In case you haven't been following the news the past few years, most corporate dictate what goes on your machine, and unfortunately, Mozilla isn't on very many lists. At my employer, the only ones with the permissions to install anything (or ask for an alternative) is the engineering staff. Everyone else gets a locked down copy of IE, and likes it (because they ain't getting anything else). One problem is that many enterprise applications run in the browser with ActiveX and other wid
        • by codguy ( 629138 ) on Wednesday June 09, 2004 @11:43AM (#9378480)
          Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.

          However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening. ..

          Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.

          As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
          • by chromaphobic ( 764362 ) on Wednesday June 09, 2004 @12:22PM (#9379008)

            As an end user, there is pretty much nothing I can do about this.

            Yes, there is. Don't visit those sites and do not buy their products. If you just shrug your shoulders, fire up IE, and browse their site and/or buy their products anyway, why should they change it?

          • by RealAlaskan ( 576404 ) on Wednesday June 09, 2004 @01:47PM (#9380058) Homepage Journal
            Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead.

            I'm guessing that you carefully explained to them why it wasn't working for you, and what they could do about it. That was kind and well-intentioned; you did most of the initial work for them. I'm sure that whoever read your emails realized that you were another of those linuks kooks that have been pestering them, and trashed your email.

            If you had written a snail-mail letter to the president of the company, saying something like:

            I went to your website to order, and I clicked and clicked and nothing happened. My friend told me it's because I wasn't using some Microsoft browser. I wanted to buy one of your machines, but I got something else instead. Dude, I'm not getting a Dell.
            You would have been recognized as part of their target demographic (unsophisticated, has money), and they would have seen a need for action. There would have been a memo from on high saying: ``Find out what happened, and make sure it never happens again.''
          • by iabervon ( 1971 ) on Wednesday June 09, 2004 @02:18PM (#9380456) Homepage Journal
            If the 95% of the population which uses IE were paying attention, they'd have ActiveX and Javascript turned off today, and be unable to access any of these sites.
          • by 1010011010 ( 53039 ) on Wednesday June 09, 2004 @02:30PM (#9380589) Homepage
            However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example.

            I've not used IE in at lear a year, and I regularly buy things from Dell.com at work. Once, they did a boneheaded thing that was IE-specific and interfered with navigation of their site. I emailed their webmaster, and called Dell. I also told their sales staff that I was unable to complete my purchases online because their site was broken. And you know what? They fixed it!

            If a vendor's website doesn't work for you, call them and make them sell to you over the phone. They'll get the picture.

        • by AKnightCowboy ( 608632 ) on Wednesday June 09, 2004 @11:55AM (#9378637)
          Why would they want to take such a risk by running Internet Explorer?

          Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box. Our Mac users must use a Citrix server to access Windows to access the system. It's very stupid to come up with such a broken system, but that's the way the cookie crumbles.

          Our time card program is another app that simply doesn't work on anything other than IE 6 on Windows.

          • by donutz ( 195717 ) on Wednesday June 09, 2004 @12:41PM (#9379253) Homepage Journal
            Why would they want to take such a risk by running Internet Explorer?

            "Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box."


            Why use IE for all, potentially harmful web access when it's only needed for a couple applications? You could restrict IE to only work for certain sites, and make your users use Mozilla/Firefox/Opera/etc for the rest of their web. Put IE in it's place, only where it's needed, and use something better for the rest!
      • by u-235-sentinel ( 594077 ) on Wednesday June 09, 2004 @10:55AM (#9377810) Homepage Journal
        Unfortuneately, some businesses restrict what software the employees can install on their computer.

        I understand where you are coming from. I had to fight for my netscape/mozille installation while working for a military installation as a contractor. The attitude of "One Military One Operating System" still rings through those halls. Pretty stupid attitude IMO. I would respond "One Military One Missle System". Needless to say, they didn't laugh ;-)

        Basically whenever a new worm or virus came out they were VERY busy. I was responsible for the Solaris and Linux servers and was quite amused. Occasionally I pointed out how calm my life was compared to their frantic patching sessions. Sure I had patching that was needed now and then. Certainly was nothing like their experiences :-)
      • by Sebby ( 238625 ) on Wednesday June 09, 2004 @11:02AM (#9377904)
        I'd read your story, but I'm paralyzed with fear about clicking any links now....

      • by stecoop ( 759508 ) * on Wednesday June 09, 2004 @11:02AM (#9377913) Journal
        I'm running Mozilla on a restricted computer. Go download the ZIP files and simply extract them to any folder you can write to even if that means in your home directory on unix or My documents on NT.

        Here is the path for the latest release candidate of Mozilla just unzip and run mozilla.exe:
        http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7rc3/mozilla-win32-1.7rc3.zip

        Have Fun!
    • Re:Fix now available (Score:5, Interesting)

      by RobertB-DC ( 622190 ) * on Wednesday June 09, 2004 @10:54AM (#9377793) Homepage Journal
      You can download a fix for this here [mozilla.org].

      Or here [opera.com], for that matter. But seriously, when I started running Opera at work a couple of years ago, people would see me using something other than IE and they'd just shake their heads. Why would anyone want to use a "non-standard" browser?

      Yesterday, I had to download some MS software, and my co-worker still laughed a bit when I had to copy the URL out of Opera to IE. But there's definitely more respect now... especially since the Data Security folks just sent a company-wide email telling us to high-tail it to windowsupdate.com... again...
    • by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Wednesday June 09, 2004 @11:11AM (#9378014) Homepage
      You can download a fix for this here [Mozilla].

      First you should read this [mozilla.org] (which is known to be incomplete), and this [mozilla.org], a rather strange policy.

      Mozilla is a very nice browser, but it's not the kind of fortress most users think it is.
      • Nothing is (Score:4, Insightful)

        by bonch ( 38532 ) on Wednesday June 09, 2004 @12:09PM (#9378828)
        Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).

        Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.

        I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
    • I am fortunate enough to go to a school where the lab computers have Firefox on the desktop by default, and as the default browser. The head lab admin is a Linux guy, and this is one of the concessions that our evil ITS made to him. Now if only they would dump exchange...sigh.
  • by Manfre ( 631065 ) on Wednesday June 09, 2004 @10:48AM (#9377708) Homepage Journal
    Workaround for this bug has been posted. "Don't click links!"
    • MOD PARENT UP (Score:4, Informative)

      by bircho ( 559727 ) on Wednesday June 09, 2004 @11:00AM (#9377880)

      Reference to Microsoft advice [slashdot.org] (he was trying to be funny, you insensive clod.)

      .
    • Re:100% Safe IE (Score:5, Informative)

      by afidel ( 530433 ) on Wednesday June 09, 2004 @11:11AM (#9378021)
      You only THINK you are joking:

      The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
      linky [microsoft.com]

      This was for a previous IE link related exploit. When MS is telling not to use their product in the most basic manner expected of the product then it should be painfully obvious that the product is broken.
  • Yet again... (Score:5, Insightful)

    by LaserLyte ( 725803 ) * on Wednesday June 09, 2004 @10:48AM (#9377710)
    This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.

    It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.

    I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE... ;), but why should a web browser EVER be capable of causing such chaos?

    A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
    • Re:Yet again... (Score:5, Insightful)

      by tuffy ( 10202 ) on Wednesday June 09, 2004 @10:52AM (#9377771) Homepage Journal
      This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.

      It's because they don't care. IE generates no revenue for MS and since people are willing to use it regardless of the holes, there's no incentive for them to overhaul it beyond the occasional patch.

      • Re:Yet again... (Score:4, Insightful)

        by blueZhift ( 652272 ) on Wednesday June 09, 2004 @11:35AM (#9378340) Homepage Journal
        You hit it right on the head! Microsoft simply doesn't care and have little incentive to do much about these problems. It's a real shame too, because in the early days of the browser wars, IE had some really nice hooks in it that were attractive to developers and with competition from Netscape, things stayed pretty fresh IMHO. But once Netscape was dead and the DOJ failed to do its duty, IE just froze including all of the bugs and unfinished stuff in it. I don't think there's been any new work done on IE for the last several years, which of course means that no one really knows what's in there anymore.

      • Re:Yet again... (Score:3, Interesting)

        by FireFury03 ( 653718 )
        IE generates no revenue for MS and since people are willing to use it regardless of the holes, there's no incentive for them to overhaul it beyond the occasional patch.

        But why are MS always trying to put all the other browsers out of business for something they get nothing back from?
    • Re:Yet again... (Score:5, Informative)

      by irokitt ( 663593 ) <archimandrites-iaur.yahoo@com> on Wednesday June 09, 2004 @10:54AM (#9377802)
      Even more disappointing is that this hole in IE is then used to put a file on your computer, and then the file takes advantage of a local exploit that Microsoft has known about since August of 2003. Yet they have failed to patch it.
    • by Anonymous Coward
      IE is a great OS but it lacks a decent browser...
    • by TrentL ( 761772 ) on Wednesday June 09, 2004 @10:57AM (#9377837) Homepage
      A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.

      You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.

      Now, shake up the bottle. That is what Microsoft software looks like.
    • Re:Yet again... (Score:3, Informative)

      by Rhys ( 96510 )
      Given some of the CS students I've seen leaving both the BS and MS portions of UIUC's CS program for microsoft, not very good.
  • by BoxOfCuriosity ( 766117 ) * on Wednesday June 09, 2004 @10:48AM (#9377713)
    I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...

    Off to check for updates.
  • by the_rajah ( 749499 ) * on Wednesday June 09, 2004 @10:49AM (#9377723) Homepage
    The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!

    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
    • Funny enough, that seems to be the way Microsoft is heading with XP SP2. Automatic Updates turned on by default, Windows Firewall greatly improved and turned on by default, IE set to a higher default security level, the Messenger service disabled by default, and more.
      • by JohnnyComeLately ( 725958 ) on Wednesday June 09, 2004 @11:05AM (#9377945) Homepage Journal
        At the risk of being redundant, though, you're still at their mercy of updates. It's a false sense of security and I think most educated users want control of upgrades/patches.

        My Favorite quote was at the end:

        With the code already available on the Net, this is effectively a security nightmare ... unless you're a Mozilla or Opera user that is.
        Even though I like Unix, suffer through Linux, and use Mozilla for mail, I prefer Explorer. Despite that preference, though, I use Opera now 80% of the time for exactly the reason of this parent article. I have other things to do than keep abreast of the latest hole M$ has been ignoring or constantly patching.
  • javascript (Score:5, Insightful)

    by checkitout ( 546879 ) on Wednesday June 09, 2004 @10:51AM (#9377756)
    I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
    • by stienman ( 51024 ) <.adavis. .at. .ubasics.com.> on Wednesday June 09, 2004 @11:03AM (#9377922) Homepage Journal
      I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.

      Fortunately my optimism filter translated your statement
      I'm sorry... java is a requirement on the modern web. If you are afraid to drink it, you might want to look into switching liquid diets. Next you'll tell us cookies are "yummy" and you should visit the vending machine as well.

      Unfortunately, it's playing heck with my diet.

      -Adam
  • by Animats ( 122034 ) on Wednesday June 09, 2004 @10:57AM (#9377838) Homepage
    Web site design today needs to eliminate JavaScript, as more people turn it off. It's important that your e-commerce site be able to process a sale without JavaScript. If it can't, you're losing customers.

    Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.

    • by TrentL ( 761772 ) on Wednesday June 09, 2004 @11:07AM (#9377968) Homepage
      But some sites REALLY require JavaScript. For example, in Hotmail (yes, another MS creation), none of the links are really links. They are JavaScript function calls, which in turn redirect to the page. I don't want to whore my website too much today, but I have a pic here. [spacerook.com] Hotmail is just one example. There are other sites that do this as well.

    • If it can't, you're losing customers.


      You have to measure the customers you get through faster, or better, vs the ones you lose. Considering most people.. and most meaning everyone minus a tiny percentage.. have js enabled, either 'cause they are clueless or understand it, you aren't losing much.
    • by JimDabell ( 42870 ) on Wednesday June 09, 2004 @11:11AM (#9378018) Homepage

      Web site design today needs to eliminate JavaScript, as more people turn it off.

      You're wrong. Javascript doesn't need to be avoided, it needs to be used sensibly. When it's used in the right way, it can improve the usability of a website.

      Just because a website uses Javascript, it doesn't mean that it locks out those who have switched it off. The key is to educate the clueless Javascript abusers that do things like <a href="javascript:... or <a href="#" onclick... so that they don't lock people out.

    • by lpangelrob2 ( 721920 ) on Wednesday June 09, 2004 @11:14AM (#9378068) Journal
      Right... so it's time to turn to Struts and JSPs for validation every form on our site. While I'm at it, we should probably contact every third party vendor that helps us track things at our hundreds of millions of dollars in revenues / year site and tell them, oh, can you send us an implementation of your software that's not Javascript?

      While we're dealing with the extra load processing validations that used to be client side (you know, the extra load only a few hundred thousand users visiting every day can generate), maybe then we can start explaining to the people that actually make the decisions why doing all of the above made our site more inconvenient, not less.

      Or maybe a certain large company can actually take some responsbility and help make more secure the tools that we need for our business to work effectively.

      Disclaimer: usually, the people that know how to turn off Javascript are the ones that are capable of inputting data into a form the right way the first time, so we don't have a big problem with that.

      • by pesc ( 147035 ) on Wednesday June 09, 2004 @11:27AM (#9378227)
        Right... so it's time to turn to Struts and JSPs for validation every form on our site.

        Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.

        Really, if it is important to validate your data you need to do it on the server!
      • by radish ( 98371 ) on Wednesday June 09, 2004 @11:51AM (#9378587) Homepage
        Are you crazy? Client side validation is _only_ useful for cosmetics, being able to alert the user to an error before they submit the form. Anyone who doesn't validate everything on the server is just bending over and asking for it...
      • While we're dealing with the extra load processing validations that used to be client side

        If you're not validating data server-side then you are asking for trouble - Client side validation makes things nicer for the end user since they are told about invalid data sooner, server-side validation stops someone (intentionally or unintentionally) entering junk into your systems. And remember that allowing a user to enter junk is potentially destructive to your systems. You should really be doing both client side and server side validation - the client is untrusted so never trust that the data coming from the client is valid, even if you _think_ it probably went through a validator on their end.
  • Troubling... (Score:4, Informative)

    by GillBates0 ( 664202 ) on Wednesday June 09, 2004 @10:57AM (#9377850) Homepage Journal
    More trouble, IMHO than the current slew of worms which can be rendered harmless simply by using a firewall.

    Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.

  • by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Wednesday June 09, 2004 @10:57AM (#9377851) Homepage Journal
    See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!
  • Turn off javascript? (Score:4, Interesting)

    by The Fanta Menace ( 607612 ) on Wednesday June 09, 2004 @10:58AM (#9377861) Homepage

    I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.

    Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...

  • Symantec (Score:5, Informative)

    by mrgrey ( 319015 ) on Wednesday June 09, 2004 @10:59AM (#9377866) Homepage Journal
    Symantec catches this vulnerability as the following:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Downloader.Trojan
    File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
    Loca tion: Quarantine
    Computer: Computer
    User: User
    Action taken: Quarantine succeeded : Access denied
    Date found: Wednesday, June 09, 2004 11:56:26 AM

    Most corporations should have little to worry about.
  • by mrn121 ( 673604 ) on Wednesday June 09, 2004 @11:00AM (#9377879) Homepage
    "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page."

    This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.

  • by mikemulvaney ( 24879 ) on Wednesday June 09, 2004 @11:01AM (#9377895)
    Doesn't zero-day mean that the bug came out the same time as IE? Didn't IE come out several years ago? And if one of these is already fixed in SP 2, that doesn't sound exactly zero-day either.
    • by Mz6 ( 741941 ) * on Wednesday June 09, 2004 @11:05AM (#9377944) Journal
      Get out of your pirate 0-day mindset and into a security one.

      Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.

    • by irokitt ( 663593 ) <archimandrites-iaur.yahoo@com> on Wednesday June 09, 2004 @11:07AM (#9377974)
      Zero-day means the exploit was created on the same day the bug was found. For example, if somebody finds a hole in Apache (to pick a random softwar title) but nobody begins to exploit it until, say, a week later, it is not zero-day. This thing was so simple to exploit that somebody already has a working exploit running.
  • eggs in one basket (Score:4, Insightful)

    by Cheeze ( 12756 ) on Wednesday June 09, 2004 @11:01AM (#9377898) Homepage
    I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.

    I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
  • by Da_Slayer ( 37022 ) on Wednesday June 09, 2004 @11:06AM (#9377967)
    Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.

    Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.

    It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.

    Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
  • by cyberlotnet ( 182742 ) on Wednesday June 09, 2004 @11:12AM (#9378039) Homepage Journal
    The exploit page in reference installs a toolbar that causes your searches to be redirected to

    http://www.i-lookup.com

    If you go to that page, what is the top search.

    Uninstall spyware.

    People get infected and use there own search to find a product to fix the problem.

    Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.

    i-lookup.com
    production
    Aztec Marketing S.A.
    aztecmanager@hotmail.com
    Sabana sur
    Supermercado AM PM
    San Jose
    Costa Rica
    ns1.dnsoutofcountry.com
    ns2.dnsoutofcountry .com

    Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.

    Why not us the long arm of the law to give this ahole a major smack down!!!
  • by Lucky Kevin ( 305138 ) on Wednesday June 09, 2004 @11:16AM (#9378080) Homepage
    I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.

    Most people, of course, have never heard of Firefox.

    Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
    • Why don't the "responsible" PC magazines who complain about all these security issues push Firefox?

      Because the second you go from reporting security holes to advocating one product over another, you are vulnerable to being labelled biased.

      If the article is a review of what browsers are available, then sure, you have the freedom of putting your opinion across. But that doesn't mean that you have the leeway to push one product over another every time the topic comes up.

    • Most people, of course, have never heard of Firefox.

      And a few who have heard of it don't use it. Case in point: My father complained of popups and spyware. I used AdAware and installed Firefox for him. After a few weeks, he said he didn't want to use it because pages "didn't work." (Provided no examples of what didn't work, probably ActiveX exploits.) He tried to remove AOL because he got broadband, and this broke IE. I tried to fix it, but that didn't work. So now he is paying $25/month for AOL just becau

  • "Single click" (Score:5, Insightful)

    by gmuslera ( 3436 ) on Wednesday June 09, 2004 @11:17AM (#9378100) Homepage Journal
    That single click could be avoided thru javascript or some other active content? i.e. can't one be vulnerable for only loading a page?

    And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).

  • Why on earth... (Score:3, Insightful)

    by adulttoys ( 786815 ) on Wednesday June 09, 2004 @11:20AM (#9378141) Homepage
    Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?

  • SP2 is not beta (Score:5, Informative)

    by Barlo_Mung_42 ( 411228 ) on Wednesday June 09, 2004 @11:25AM (#9378199) Homepage
    It is RC1 and it is available here [microsoft.com]
  • Exploit analysis (Score:5, Informative)

    by gmuslera ( 3436 ) on Wednesday June 09, 2004 @11:27AM (#9378224) Homepage Journal
    As it is not directly linked by the story, in http://62.131.86.111/analysis.htm [62.131.86.111] there is an analysis of the exploit that looks very helpful to understand why and how it works.

    As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.

  • by Darth Cider ( 320236 ) on Wednesday June 09, 2004 @11:36AM (#9378363)
    IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
  • by NitroWolf ( 72977 ) on Wednesday June 09, 2004 @11:37AM (#9378374)
    I clicked on the link, what's the big deal? It didn't do anything but pop up a hollow box in the window.

    Nothing installed, my system didn't crash. There were no apparent ill effects to clicking on that.

    So why is everyone so worked up? I use Windows XP every day for some of my work, and haven't had a problem with malicious web pages in over a year.

    I've been using FireFox for over a year, but that's probably just a cooincidence.

  • by Dodger73 ( 654030 ) <opiesche@@@yahoo...com> on Wednesday June 09, 2004 @11:43AM (#9378478) Journal
    This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.

    The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.

    On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.

    Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:

    If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
  • by landoltjp ( 676315 ) on Wednesday June 09, 2004 @11:48AM (#9378552)

    Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.

    Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program [virtualconspiracy.com] to Decode [virtualconspiracy.com] the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here [virtualconspiracy.com])

  • by Anonymous Coward on Wednesday June 09, 2004 @11:52AM (#9378603)
    0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.

    0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).

    This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
  • by Frobozz0 ( 247160 ) on Wednesday June 09, 2004 @11:55AM (#9378638)
    I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?

  • by shaitand ( 626655 ) * on Wednesday June 09, 2004 @01:10PM (#9379575) Journal
    Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.

    If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.

    Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.

    The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.

    That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
  • by hopethishelps ( 782331 ) on Wednesday June 09, 2004 @03:16PM (#9381153)
    As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway.

    What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
    For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
    (Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).

You are always doing something marginal when the boss drops by your desk.

Working...