Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Internet Explorer The Internet IT

Extremely Critical IE6/SP2 Exploit Found 595

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
This discussion has been archived. No new comments can be posted.

Extremely Critical IE6/SP2 Exploit Found

Comments Filter:
  • Test site (Score:5, Funny)

    by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Sunday January 09, 2005 @05:20AM (#11302895) Journal
    They've also posted a test site [secunia.com].

    No, you click it first.
    • by Sirch ( 82595 )
      Hooray for Windows 98!

      Never thought I'd be saying that... *sigh*
    • by MarkRose ( 820682 ) on Sunday January 09, 2005 @05:33AM (#11302946) Homepage
      I click it but nothing happens. When are site designers going to learn there are other browsers besides IE? Don't they know that Firefox's market sharing is growing? Clueless idiots!
      • by Alsee ( 515537 )
        If Firefox is going to have any chance at competing then the developers are going to have to get on the ball and implement fully compatible functionality. It is absolutely unacceptable that the Secuna test site does not function as intended.

        I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard. It is up to us to ensure that if it works in IE then it will work in Firefox just as well, if not better.

        -
        • by Ohreally_factor ( 593551 ) on Sunday January 09, 2005 @09:18AM (#11303646) Journal
          I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.
        • by Citizen of Earth ( 569446 ) on Sunday January 09, 2005 @12:50PM (#11304502)
          I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard.

          I think that the Firefox developers should give credit where its due. They should organize another pledge campaign to raise $10,000.00 to give to Microsoft as a token of good will for all of the advertising that Microsoft has done for Firefox. Although the actual advertising contribution of Microsoft is at least a thousand times greater, this would help coax Microsoft toward continuing their generous support and [this is the serious part] the press would eat it up, contributing another $5M worth of free advertising.
    • by kiddailey ( 165202 ) on Sunday January 09, 2005 @05:43AM (#11302989) Homepage

      What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).

      All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?

      Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.
    • Re:Test site (Score:5, Informative)

      by CerebusUS ( 21051 ) on Sunday January 09, 2005 @08:03AM (#11303422)
      This is NOT a new vulnerability. This is an upgraded severity on a vulnerability that was reported almost 3 months ago:

      From the article:
      Secunia Advisory: SA12889 Print Advisory
      Release Date: 2004-10-20
      Last Update: 2005-01-07 ...

      Changelog:
      2004-10-21: Updated advisory.
      2004-10-28: Added another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
      2004-11-02: Updated with additional information in "Description" and "Solution" section.
      2004-11-29: Updated "Description" section with additional information from Paul.
      2004-12-23: Added link to US-CERT vulnerability note.
      2004-12-25: Updated "Description" section with additional information from Paul and Michael Evanchik.
      2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections.

      So they upped the severity rating and added another workaround. This isn't really news. You've been vulnerable to this for almost 3 months now.
      • Re:Test site (Score:3, Interesting)


        What you mean is that we have been vulnerable to this since IE6 was available waaayyyyy back, but it wasn't known until 3 months ago, and that they just realised how easily exploitable it is 2 days ago.
      • by TrekkieGod ( 627867 ) on Sunday January 09, 2005 @10:40AM (#11303952) Homepage Journal
        this has been known for 3 months and there are still no patches available from microsoft? According to windows update, I'm fully patched, according to their test page, IE is still vulnerable. I think that's even worse than it being a new vulnerability.

        Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?

        • by CerebusUS ( 21051 ) on Sunday January 09, 2005 @02:44PM (#11305157)
          No, What I'm telling you is that this article was written and posted to provide fodder for a flame war.

          You are still vulnerable because Microsoft has determined that this vulnerability is:

          a) unpatchable without ruining the functionality of the product

          and / or

          b) not a large enough threat to worry about.

          Now I'm _not_ going argue whether either of these points is correct or not. But to present these as "New exploits" is typical Slashdot anti-journalism. they did the same thing when they announced the "New" vulnerabilities for Firefox [slashdot.org] a few days ago. Those were not new either, but neither the submitters or editors bothered to read the articles that were submitted.
  • by FullCircle ( 643323 ) on Sunday January 09, 2005 @05:20AM (#11302896)
    delete IE?

    or maybe install Firefox?
  • Not working (Score:2, Interesting)

    by Anonymous Coward
    Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.

    The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.
    • by weicco ( 645927 )
      Internet Explorer Script Error

      An error has occured in the script on this page.

      Line: 2
      Char: 324
      Error: Unterminated string constant
      blaablaablaa
      Do you want to continue running scripts on this page?

      Hell no!
  • Heh (Score:3, Funny)

    by tektek ( 829733 ) on Sunday January 09, 2005 @05:22AM (#11302901) Homepage
    Even a fully patched sp2 is in danger. Good news for Firefox fanboys?
    • Re:Heh (Score:5, Informative)

      by molnarcs ( 675885 ) <csabamolnarNO@SPAMgmail.com> on Sunday January 09, 2005 @08:13AM (#11303458) Homepage Journal
      Bad news for everyone - except for some open source advocacy. Gives a nice opportunity to show how MS talks bullshit - when they talk about security. Did anyone notice the date when Microsoft was notified?

      Provided and/or discovered by:
      1) Discovered independently by:
      * http-equiv
      * Andreas Sandblad of Secunia Research (reported to Microsoft on 2004-10-13).

      That's right, Microsoft "we take security very seriously" Corporation has known about this vulnerability for almost two months, yet they leaved it unpatched? Why?

  • Delete files? (Score:3, Insightful)

    by lachlan76 ( 770870 ) on Sunday January 09, 2005 @05:22AM (#11302903)
    One would assume that any vulerability that could run arbitary code would be able to delete files.
    • by Spy Hunter ( 317220 ) on Sunday January 09, 2005 @05:49AM (#11303019) Journal
      Exactly. Even on vulnerabilities that can execute arbitrary code, they always list a bunch of other silly little things they can do, like cross-site scripting or my personal favorite "view the content of arbitrary files in known locations".

      If they reported the evening news the same way it would sound like this: "Today terrorists announced they have armed an atomic bomb in the middle of Los Angeles. They also announced that they have control of several hand grenades and also some water balloons and cap guns, and they're not afraid to use them!"

    • Re:Delete files? (Score:3, Informative)

      by wfberg ( 24378 )
      One would assume that any vulerability that could run arbitary code would be able to delete files.

      Not necessarily. If the arbitrary code is run in a restricted security context (e.g. Guest User, sandbox, restricted zone/role/capability) it shouldn't be able to delete files it has no acces to. The exploit would need to run a second exploit for privilege elevation.

      Thankfully, in Internet Explorer's ActiveX security model none of all that is necessary, greatly speeding up the development of worms.
  • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Sunday January 09, 2005 @05:22AM (#11302904) Homepage
    We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"
  • by Green Salad ( 705185 ) on Sunday January 09, 2005 @05:25AM (#11302912) Homepage
    It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

    Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!
    • I don't deal with the financial sector professionally, but all my private homebanking with 4 banks in three different European countries and a broker work just fine without IE (I use Safari = KHTML). No ActiveX there - I believe it's state of the art not to use IE specific stuff. (But I guess I wouldn't choose a bank in the first place that requires stuff like IE or even Windows...)
    • Heh. (Score:2, Insightful)

      by BJH ( 11355 )
      Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.

      Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.
    • by SharpFang ( 651121 ) on Sunday January 09, 2005 @06:51AM (#11303212) Homepage Journal
      Switch to providers who don't lock you in with crappy service. And tell them clearly "Supporting only insecure Microsoft products you don't meet our security standards. Good Bye!"

      I'm not a big company, I'm just a private user. I very recently switched banks I use for personal finances. I left a "common" bank with its units in in several thousands of locations, and introducing new fees and increasing old ones now and then to maintain them all, and with quite crappy and really expensive Internet service, that was supposed to work in Mozilla/Firefox but it more often didn't than did, and I signed up for an Internet bank. Reduced costs of maintenance resulting in zero fees on all operations and account maintenance, no other fees, (except of withdrawal from ATM, very cheap too), and as they are an Internet bank, finally a REALLY professional Internet service. Working flawlessly in any browser, probably including Lynx :)

      I don't know how it works for big companies but I strongly encourage you to leave your old-fashioned banks and move to "Internet banking". Reducing number of channels where money flows lets them focus on keeping the channels they maintain highest quality.
  • Whoa (Score:5, Informative)

    by FractusMan ( 711004 ) on Sunday January 09, 2005 @05:27AM (#11302924)
    I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
  • by i 3 joo! ( 846337 ) on Sunday January 09, 2005 @05:31AM (#11302936)
    it's an IE feature.
  • by The Bringer ( 653232 ) on Sunday January 09, 2005 @05:34AM (#11302951)
    I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.
  • http://secunia.com/internet_explorer_command_execu tion_vulnerability_test/ [secunia.com]
    is a test page containing a link if you left click on it and a window opens your vulnerable (it didn't do anything in Firefox)
  • by Anonymous Coward
    #!/microsoft/bash

    After today's pro-Microsoft articles, its about time we got back to bashing!
  • Yeah, well, I guess corporate IT depts are probably struggling with mgmt to implement company-wide changeovers, especially for all those companies that are Microstooges and have big service and standardization contracts, yadda yadda yadda. But for all you individuals out there who aren't experiencing the Browsing Bliss that is Firefox, preferring IE to downloading a small file and doing a simple install, well, I don't pity you any more than anyone who walks into a dynamite factory and says, "Man, it's dark
  • Pff, (Score:2, Funny)

    by Anonymous Coward
    You know what? I'll just stop using the internet. I'll just .................
  • by jazman ( 9111 ) on Sunday January 09, 2005 @05:44AM (#11302991)
    although it requires a bit of messing around. IE - Tools - Options - Security.

    select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.

    select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.

    This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.

    Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.

    Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.

    Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
    • As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
      Great. A virus scanner that contains IE.
      (I deinstalled McAfee an hour ago).
  • by kasihan ( 13234 ) * on Sunday January 09, 2005 @05:47AM (#11303007) Homepage
    I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:

    http://www.sophos.com/virusinfo/analyses/expphela. html/ [sophos.com]


    EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.

    This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
  • BFD (Score:3, Insightful)

    by Anonymous Coward on Sunday January 09, 2005 @05:56AM (#11303039)
    I don't see what the big deal is. Provided that all of your users are rocket-scientists that never, ever do anything stupid that allows any hostile code access to their machines, then all your company's intranet sites should be safe and aren't going to include this IE exploit. IE will remain safe to use.

    As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."

  • by Sycraft-fu ( 314770 ) on Sunday January 09, 2005 @06:11AM (#11303098)
    I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.

    The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.

    So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.

    Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.
  • by Nuskrad ( 740518 ) on Sunday January 09, 2005 @06:19AM (#11303124)
    I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?
  • Help me!! (Score:5, Funny)

    by Piranhaa ( 672441 ) on Sunday January 09, 2005 @06:27AM (#11303148)
    Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test [secunia.com] that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'

    Computer specs: iBook g3 800mhz...

    I hope that helps a little
  • SP2 - any effect? (Score:3, Insightful)

    by rseuhs ( 322520 ) on Sunday January 09, 2005 @06:34AM (#11303161)
    It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.
  • by gatkinso ( 15975 ) on Sunday January 09, 2005 @07:33AM (#11303319)
    ...this unpatched XP laptop is not vulernable to the exploit.

    Guess it isn't as extremely critical as they say.
  • by PommeFritz ( 70221 ) on Sunday January 09, 2005 @07:49AM (#11303359) Homepage
    I have McAfee virusscan 9.0 installed.
    Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
    But lo and behold, McAfee virusscan stopped working!
    All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
    What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
  • by un1xl0ser ( 575642 ) on Sunday January 09, 2005 @08:11AM (#11303450)
    In case anyone missed this, it was reported to Microsoft on 2004-10-13.

    Three months later, no sign of a patch.
  • by camcorder ( 759720 ) on Sunday January 09, 2005 @08:20AM (#11303481)
    ...(reported to Microsoft on 2004-10-13).
    That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.

    This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.

To be is to program.

Working...