Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Internet Explorer The Internet Security

4 New "Extremely Critical" IE Vulnerabilities 1081

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
This discussion has been archived. No new comments can be posted.

4 New "Extremely Critical" IE Vulnerabilities

Comments Filter:
  • by D-Cypell ( 446534 ) on Tuesday July 13, 2004 @10:46AM (#9686754)
    At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?
    • by slash-tard ( 689130 ) on Tuesday July 13, 2004 @10:48AM (#9686786)
      Im just glad I use AOL to get my interweb.
    • by Grey Ninja ( 739021 ) on Tuesday July 13, 2004 @10:54AM (#9686906) Homepage Journal
      Well, we know for sure at this point that ActiveX works. And the code for creating popups is working quite nicely. Of course, there is the odd time that when autoinstalling some ActiveX controls to autospawn more popups, and creating some more popups at the same time, it can go into an infinite loop and crash, but on the whole, it works quite nicely. =)
    • by Anonymous Coward on Tuesday July 13, 2004 @11:01AM (#9687020)
      At what point do we have /. change the IE topic icon to have bugs crawling all over it and eating holes?
    • Be Fair! (Score:5, Insightful)

      by ackthpt ( 218170 ) * on Tuesday July 13, 2004 @11:24AM (#9687374) Homepage Journal
      At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

      IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.

      When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.

      Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.

      • Re:Be Fair! (Score:5, Insightful)

        by Grey Ninja ( 739021 ) on Tuesday July 13, 2004 @11:32AM (#9687479) Homepage Journal
        If I hadn't already replied to this discussion, I would mod you up for that. I am a web developer who develops for an IE only intranet, so I have learned to hate the browser more than... well, much of anything. It's easy for me to forget that the browser DOES do some things right.

        But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.
        • Re:Be Fair! (Score:5, Insightful)

          by Entropius ( 188861 ) on Tuesday July 13, 2004 @11:58AM (#9687852)
          What, honestly, does it do right that other browsers consistently get wrong? This isn't a rhetorical question--I'm curious.

          The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.

          IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.

          Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.
        • Re:Be Fair! (Score:5, Insightful)

          by ackthpt ( 218170 ) * on Tuesday July 13, 2004 @12:02PM (#9687904) Homepage Journal
          But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.

          As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.

          I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.

          What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.

          Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.

    • by FireFury03 ( 653718 ) <<slashdot> <at> <nexusuk.org>> on Tuesday July 13, 2004 @11:29AM (#9687443) Homepage
      Oh hang on, there's a 'Y' in the day, time for another windows security hole :)
  • "Trusted Computing" (Score:5, Interesting)

    by KevinKnSC ( 744603 ) * on Tuesday July 13, 2004 @10:47AM (#9686758)
    I especially liked this part:

    An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.

    So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.

  • surprise (Score:5, Funny)

    by birdwax2k ( 787311 ) on Tuesday July 13, 2004 @10:47AM (#9686764)
    surprise, surprise...all i want to know is why you need 9 patches for 4 holes. maybe the first patch fixes 1 and creates 5 more?
  • The /. Pool (Score:5, Funny)

    by CommanderData ( 782739 ) * <kevinhi@y[ ]o.com ['aho' in gap]> on Tuesday July 13, 2004 @10:47AM (#9686766)
    Sorry Funkdid [slashdot.org], your bet [slashdot.org] of Wednesday for the next IE exploit was incorrect. However according to Price is Right rules your bet is the closest without going over, so you win!

    Your prize today is 9 shiny new windows patches! And a new car!
  • by Anonymous Coward on Tuesday July 13, 2004 @10:47AM (#9686771)
    A spokesman for Microsoft said, "These are the last 4, we swear!"
  • by Anonymous Coward on Tuesday July 13, 2004 @10:48AM (#9686776)
    I'm switching to Lynx.
  • Why don't... (Score:5, Insightful)

    by Iphtashu Fitz ( 263795 ) on Tuesday July 13, 2004 @10:49AM (#9686803)
    ... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.
    • simple answer (Score:5, Insightful)

      by MORTAR_COMBAT! ( 589963 ) on Tuesday July 13, 2004 @10:56AM (#9686951)
      because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.
      • Re:simple answer (Score:5, Insightful)

        by chris_mahan ( 256577 ) <chris.mahan@gmail.com> on Tuesday July 13, 2004 @11:04AM (#9687088) Homepage
        Not hundreds of millions. Billions, tens of billions.

        Because you lose business continuity (all those programmers have to stop doing what they were doing to rewrite the apps, then pick up again later on to waht they were doing, and hopefully haven't forgotten it all), as well as lost opportunities (all that new functionality they could have written instead of unIEfiying their webapps) and all the money the business units lose because they lost the use of the tools that were not developed.

        Also, you have to assume that the programmers _can_ rewrite enterprise quality apps in non-browser specific code. That's a stretch as well.

        Pulling a number out of my hat, I would say that less than 50,000 programmers in the US can write xhtml+ccs2 compliant code (not that they do--a lot less do, but at least they can.)

        As far as companies being burned: suckers. They believed the FUD, bought it hook, line, and sinker, and now, they are royally funked. Oh well. I'll take that paycheck thank you very much.
      • Sucks to be them (Score:5, Insightful)

        by blunte ( 183182 ) on Tuesday July 13, 2004 @11:30AM (#9687465)
        That's why IT management, starting from the top down, needs to plan better.

        There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.

        The only significant benefit to doing IE-only development is the streamlined development tools.

        This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?

    • Re:Why don't... (Score:5, Interesting)

      by Unnngh! ( 731758 ) on Tuesday July 13, 2004 @10:57AM (#9686962)
      Nowhere to go except, of course, for the next weakest link on the internet-based software chain. You will never be able to create a product that is immune to this type of attack. Using another product will only spell disaster for that product somewhere down the road.

      IE is lacking in functionality compared to Mozilla, and the MS development cycle is inadequate to respond to this type of problem, IMO--but the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords.

      • Re:Why don't... (Score:4, Insightful)

        by BiggsTheCat ( 460227 ) on Tuesday July 13, 2004 @11:42AM (#9687622)
        > /Nowhere to go except, of course, for the next weakest link on the internet-based software chain./

        Indeed. Still, though no software is perfect, I still think we'd be a lot safer on Firefox or any browser that doesn't so heavily tie itself to ActiveX and the Windows core.

        > /the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords./

        Well, yeah, but let's not go the way of Homeland Security for the sake of tracking down script kiddies. One important step would be to require all code coming in from the Internet be signed. Now, you would have to know who published the code before we would install it. Also, any system that allows stuff to be installed in the background with no warning is dangerous. Windows could do like Mac OS X and require the user to enter their password before any system-level actions could be attempted. Also, they could use the Java sandbox idea where untrusted code is locked down.

        The problem is not that dangerous code /can/ be written, nor that script kiddies can write dangerous code. The problem is that dangerous code can slip deep into your operating system without providing any notice.
  • Mainstream Media (Score:5, Interesting)

    by aghorne ( 583388 ) on Tuesday July 13, 2004 @10:49AM (#9686812) Homepage

    How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?

    And is there anything we can do to get this in the press?

    • Re:Mainstream Media (Score:5, Interesting)

      by DrAegoon ( 738446 ) on Tuesday July 13, 2004 @11:18AM (#9687289)
      It's already starting. When I visited my (non-techie) parents last week both of them had heard news on the TV or radio about the IE exploit. My dad actually asked me to install Firefox because the story he heard had mentioned it was safer than IE. In a perfect world the mainstream media would keep this up and give Microsoft a real reason to write better code.

      Unfortunately we live in the real world. If Micorsoft kept getting large amounts of bad press every time it announced a new exploit it would try even harder to hide the flaws instead of releasing a fix.
    • by NanoGator ( 522640 ) on Tuesday July 13, 2004 @11:23AM (#9687349) Homepage Journal
      "How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?"

      How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?
      • by electroniceric ( 468976 ) on Tuesday July 13, 2004 @12:11PM (#9688014)
        While the sitting on the hands question is a fair one, the proper answer is not a commercial - you'll never raise enough money to reach more than a thousand or tens of thousands of people - but media "scandal seeding".

        1) Write one or more versions of a news story (many, many stories in the media are dropped in essentially as they were delivered to the media). Hopefully this includes a "human interest angle", like Grandma Sally being redirected goatse.cx or giving up her CC number to ch.ase.com. Use only a minimal of substantive or technical details to avoid people who don't want to think through them. Yes, this is doing reporters' work for them, but that's how you get stuff in circulation when you're outside the loop.

        2) Call (email might work, but probably not as well) the editors of Style/Living/Consumer Affairs pages of newspapers and TV stations and pitch em the story. Again, this is reporter work, but it gets the story in the news.

        3) Lather, rinse, repeat. Fan the flames by providing more juicy details with human interest angles - disgruntled MS employee, evidence that problem is far wider than acknowledge "they don't want to you to know this...", speculations about apocalyptic collapses of the economy. Involve porn to feed the public's prurient side. Modify the story a bit for consumption by other stations/papers/etc as it evolves.

        This is how most political scandals evolve - someone plants the story and fans the flames for a week or two in the public gets tired of it. To do real damage, you sync the stories with lulls in other news and cycles of public mood.
  • by diagnosis ( 38691 ) on Tuesday July 13, 2004 @10:49AM (#9686814) Homepage
    Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
    http://slate.msn.com/id/2103152
  • IE Developers (Score:5, Interesting)

    by thenextpresident ( 559469 ) on Tuesday July 13, 2004 @10:50AM (#9686815) Homepage Journal
    You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

    This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
  • by ccoder ( 468480 ) * <ccoder@NOspAM.shiznor.net> on Tuesday July 13, 2004 @10:51AM (#9686848)
    Dear Staff,

    IE has a vew unsolved vulnerabilities to say the least. Download the latest version of Firefox or Mozilla from http://www.mozilla.org/.

    Thanks,
    Bill G
  • by tekiegreg ( 674773 ) * <tekieg1-slashdot@yahoo.com> on Tuesday July 13, 2004 @10:52AM (#9686872) Homepage Journal
    Yes I know Mozilla/Firefox is better and I use regularly. However I have to develop applications in ASP.net, basically Internet explorer as mandated as mandated for this application. Granted windows runs the majority of desktops here). Why cant Microsoft just build code that is at least semi-secure puhleeeeaaaaassseee....maybe it's time to pitch for a full out work switch to Mozilla/Open Source. Especially when it's a new vulnerability (or multiple vulnerabilities) once a week. *sigh*

    Ok I'm through crying now Microsoft hear my pleas....
  • No Surprise (Score:4, Interesting)

    by SadPenguin ( 776485 ) on Tuesday July 13, 2004 @10:53AM (#9686876) Homepage
    This is absolutely no surprise, and seems at this point almost un-newsworthy. There are so many holes in the virtual screen door that we call IE, its becoming moot to mention them. Why not solve the problem at its base, and switch to Mozilla. I am director of IT at the company that I work for, and we all use Mozilla now, and I feel a lot better about this. I am waiting for 2 things though:

    1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
    and
    2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).

    when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
    • Re:No Surprise (Score:5, Interesting)

      by man_ls ( 248470 ) on Tuesday July 13, 2004 @10:56AM (#9686934)
      If the Mozilla Foundation came up with an open-source replacement for shdoclc.dll (the Internet Explorer Rendering Engine) you could replace the IE application backend with the Firefox application backend.

      If you ask me, that's something people should be working towards.
  • by Infonaut ( 96956 ) <infonaut@gmail.com> on Tuesday July 13, 2004 @10:54AM (#9686905) Homepage Journal
    Sure, Linux, OS X, et. al. aren't completely secure. But I often wonder why Linux vendors and Apple don't directly attack the numerous security shortfalls of Microsoft products. I understand the inherent danger in such an approach (launch an ad campaign, crackers launch their own initiative to exploit your OS), but security is Microsoft's Achilles Heel.

    Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.

  • by Cro Magnon ( 467622 ) on Tuesday July 13, 2004 @10:56AM (#9686936) Homepage Journal
    Or does the very name of IE sound like a scream?
  • by chia_monkey ( 593501 ) on Tuesday July 13, 2004 @10:56AM (#9686939) Journal
    We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?

    Just imagine if cars were sold with this many problems. Or home security systems...
  • by Prince Vegeta SSJ4 ( 718736 ) on Tuesday July 13, 2004 @11:03AM (#9687044)
    In other news, wormherders around the world once again had something to rejoice about. Chief Wormherder Paul Maud'dib had this to say:
    • "We were dealt a serious blow with some of the latest security patches, however, we found out that after a while the product still works,
    • Just set a box of Windows XP out in the field, and the worms keep rolling in. They stopped for a moment and we were afraid we would have to go back to the old method of using shovels and a bucket. But, like magic, they kept coming and coming.

      All hail the Quizatz Hadderach!

  • Got Sploit? (Score:5, Funny)

    by HangingChad ( 677530 ) on Tuesday July 13, 2004 @11:04AM (#9687087) Homepage
    MSFT's only had what? Seven or eight years to work out the security issues in IE. Instead of getting better it seems to be getting worse.

    Remember when 2000 was supposed to be the most secure ever? Then XP? Now it's Longhorn. I didn't believe them then and I don't believe them now.

    I feel sorry for the poor Windows poopies. Paying big bucks to get porked like a cheap prom date. And not so much a kiss from Billy boy.

  • by bob670 ( 645306 ) on Tuesday July 13, 2004 @11:05AM (#9687089)
    to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...
  • by lukateake ( 619282 ) on Tuesday July 13, 2004 @11:16AM (#9687260)
    It's Tuesday.
  • IE bugs and phishing (Score:4, Informative)

    by phatwuss ( 619909 ) on Tuesday July 13, 2004 @11:19AM (#9687302) Homepage

    The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now [jenseng.com]. Initial [securepoint.com] reports [webhostingtalk.com] of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.

    Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.

    I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...

  • by 89cents ( 589228 ) on Tuesday July 13, 2004 @11:26AM (#9687398)
    Can someone explain to me how an IE vulnerability can lead to a Sasser like virus? I thought Sasser was a worm that spread automatically through open ports of unpatched Windows machines, whereas IE vulnerabilities seem to have to be user initiated.
  • Well Now (Score:5, Funny)

    by quantaman ( 517394 ) on Tuesday July 13, 2004 @11:28AM (#9687424)
    It seems like somebody was jelous of a certain other browsers bug [slashdot.org] now weren't they?
  • by btsdev ( 695138 ) on Tuesday July 13, 2004 @11:29AM (#9687441)
    Microsoft Delays Windows XP Service Pack 2
    Posted by simoniker on Monday July 12, @05:02PM

    MSN, Word Vulnerable To Shell: URI Exploit
    Posted by timothy on Monday July 12, @07:42PM

    4 New "Extremely Critical" IE Vulnerabilities
    Posted by CmdrTaco on Tuesday July 13, @11:45AM

    Microsoft Expects 1 Billion Windows Users by 2010
    Posted by CmdrTaco on Tuesday July 13, @08:14AM

    Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...

    When are the masses going to learn?
  • by Anonymous Coward on Tuesday July 13, 2004 @11:30AM (#9687466)
    I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.

    But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.

    I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.

    Up until FireFox .8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.

    So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
  • The real problem? (Score:5, Insightful)

    by bonaman_24 ( 790196 ) on Tuesday July 13, 2004 @11:34AM (#9687505)
    The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...
  • by moojin ( 124799 ) on Tuesday July 13, 2004 @11:36AM (#9687543)
    Here is an email that I sent to my family members, I suggest that you do something similar.

    This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/ .

    http://secunia.com/advisories/12048/

    Andrew
  • Perfect Exploit (Score:5, Interesting)

    by TheTomcat ( 53158 ) on Tuesday July 13, 2004 @11:40AM (#9687605) Homepage
    I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.

    Anyone know of one? The terms are too generic for a quick google.

    S
  • "Trusted Sites"... (Score:5, Interesting)

    by Roguelazer ( 606927 ) <Roguelazer AT gmail DOT com> on Tuesday July 13, 2004 @11:42AM (#9687633) Homepage Journal
    Like Windows users everywhere who use IE only for Windows Update, I went through the ritual of adding v5.windowsupdate.microsoft.com to my Trusted Sites list and disabling Active Scripting in my Internet Sites list today. This is a fresh[-ish] install of Windows XP SP2 RC2. I've never used trusted sites before on it. However, I noticed that there was already one entry in the list: https://free.aol.com Why was this? I don't use AOL- I don't even have it installed. I'm starting to sense some corporate brainwashing (and, a site that if cracked would give anybody full access to every copy of IE in SP2...). Has anybody else seen this?
  • by GMFTatsujin ( 239569 ) on Tuesday July 13, 2004 @12:05PM (#9687939) Homepage
    There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.

    There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.

    No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.

    We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.

    Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.

    Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).

    Thanks,
    The Internet
  • by mcc ( 14761 ) <amcclure@purdue.edu> on Tuesday July 13, 2004 @12:29PM (#9688234) Homepage
    For awhile that security bugs in non-MS browser just don't happen with the same frequency or degree. Bugs in non-MS browsers *occured*, but they tended to be much more subtle bugs with lesser payloads, as opposed to MS which tends to wind up with seemingly really obvious security holes with serious consequences on a regular basis. For every "untrusted site may gain read access to cookies belonging to another site by a contrived series of steps" in Mozilla there was an "execute arbitrary remote code by clicking a link" in MSIE, it seemed.

    Then last week the shell: bug in Mozilla was reported, and I was humbled. Perhaps, I thought, perhaps Mozilla wasn't really all *that* much better than MSIE, and I was being silly by my stance that MSIE was an unsafe product and Moz was a safe product. Maybe, I thought, trusting any software vendor is just as silly as trusting Microsoft.

    Then I see this news today and I don't feel so humble anymore.

    One thing I found odd, though. I haven't done a close study or anything, but when the mozilla vulnerability was found last week, it was very widely reported. I saw it at least twice on news.google.com and I believe on cnn.com. But with these new IE vulnerabilities? Well, maybe it's just too soon, but cnn.com has nothing on this-- it does have a story "renewed calls for alternate browsers" which mentions in the second paragraph two IE bugs that MS fixed already-- and news.google.com has nothing. And n.g.c's top tech story?

    Microsoft CEO Touts Security Push at Conference
    Reuters - 55 minutes ago
    SEATTLE (Reuters) - Microsoft Corp. MSFT.O is taking a big step toward boosting the security of its flagship Windows product in August with the release of a major software update, Chief Executive Steve Ballmer said on Tuesday.
  • by CodeBuster ( 516420 ) on Tuesday July 13, 2004 @01:28PM (#9688969)
    A great many problems can be avoided simply by setting ActiveX controls to prompt for download, allow only ActiveX controls digitally signed by a trusted source to run (you can check the signature before you accept), and turn off active scripting. Yes, IE has problems, but in all fairness it probably has the dubious distinction of being the most analyzed, probed, and maliciously scrutinized software on the planet. Mod me down if you wish, but someone has to play devil's advocate.

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...