Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Internet Explorer The Internet Security

IE Flaw Exposes Users To Spoof-Based Attacks 169

Posted by Zonk from the fool-me-once dept.
Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.
This discussion has been archived. No new comments can be posted.

IE Flaw Exposes Users To Spoof-Based Attacks More

IE Flaw Exposes Users To Spoof-Based Attacks

Comments Filter:

  • XMLHttpRequest? What's That? (Score:5, Funny)

    by turkeywrap ( 560320 ) on Friday September 30, 2005 @02:23PM (#13687740)
    XMLHttpRequest? Never heard of it.

    • Re:XMLHttpRequest? What's That? (Score:5, Informative)

      by pe1chl ( 90186 ) on Friday September 30, 2005 @02:26PM (#13687774)
      It is the thingy that powers AJAX
      • I was being just a tad sarcastic.

      • AJAX = abrasive cleaner. Good name for this technology, alright!

        Eric
        Making Google richer [makeeasymo...google.com] (summary of U. Vazirani's talk at UW)
      • I thought that chlorine and an abrasive powder (pumice?) powered Ajax.

      • Re:XMLHttpRequest? What's That? (Score:5, Funny)

        by GweeDo ( 127172 ) on Friday September 30, 2005 @02:57PM (#13688067) Homepage
        Active Ingredient: Triclosan
        Other Ingredients: Water, Magnesium and/or Sodium Dodecylbenzenesulfaonate, ammoniym laureth sulfate, Sodium xylenessulfonate, SD alcohol 3-A, Laurel polyglucose, Laurylamidoproptlamine oxide, Magnesium sulfate, Sodium bisulfate, fragrance, Prntasodium pentetate, DNDN Hydantoine, D&C Orange No 4.

        See, see, Triclosan [wikipedia.org] is what powers AJAX [epinions.com]!
      • You must be new here.

      • Tin Foil Hat Time!! (Score:3, Interesting)

        by JavaRob ( 28971 )
        1) Yes, XMLHTTPRequest is that thingy that powers AJAX.

        2) AJAX is that thing that's making it possible to write responsive, platform-independant, server-based apps.

        3) Responsive, platform-independant, server-based apps are those things that are threatening Microsoft's deathgrip on the desktop.

        4) [Apply tinfoil hat if needed] So... perhaps Microsoft inserts a dangerous bug in their XMLHTTPRequest implementation, so that

        5) Microsoft must deploy a security fix that CRIPPLES or limits AJAX...? And

        6) Profit!!

        H
        • Microsoft uses "AJAX" (what a ridiculous term) in their own sites. They invented XMLHttpRequest.

          Although they would love to see cross-platform disappear, and they're attempting that with Avalon and the "Web 2.0" technologies.
          • Just curious, why do you imply that Microsoft is trying to make cross-platform disappear w/Avalon and the so called .Net Framework 2.0?

            I mean, ASP.Net/VB.Net/C#.Net already isn't cross-platform (unless you count Mono, which I don't). Does Avalon prevent you from running WAMP (Windows/Apache/MySql/PHP) instead of IIS/ASP.Net?

            Anyhow, its obvious the reason this buy was found was because XMLHttpRequest is getting more usage due to AJAX being the latest web-devel buzzword. This hole would have stayed in t
            • Because anything cross-platform threatens reliance on the Windows platform. Microsoft is trying to position Avalon and XAML as mediums for delivering applications through the web, tying into Windows APIs but going through the browser. If they succeed this, they control the web as a platform too.
          • Microsoft uses "AJAX" (what a ridiculous term) in their own sites. They invented XMLHttpRequest.

            Right, and you might say their "mistake" in making the component is that its functionality is too generic, too easy duplicated in other browsers and platforms. So updates to their XMLHttpRequest should add features that are as much as possible Windows-only and/or IE-only (perhaps "helpful" direct ties to Internet Explorer GUI elements).

            As long as they can keep Mozilla, etc., playing catch-up (and copying the MS
    • XmlHttpRequest is a for client-side script to submit an http request and receive the results as XML or text. It's pretty cool because you can make a web page behave like a little client-server app, eliminating the need for page refreshes and session state maintenance. The name AJAX was made up recently, but the technique has been around for years, ever since IE4. Microsoft implemented it as an ActiveX object, but Mozilla now supports it natively.

  • Crank Up The Flamethrowers (Score:5, Insightful)

    by geomon ( 78680 ) on Friday September 30, 2005 @02:23PM (#13687746) Homepage Journal
    Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.

    Every security announcement is met with the same level of bickering without any resolution in sight. Goggle "Internet Explorer Firefox security comparison" [google.com] and you get another 1.7 million opinions.

    Will it ever end?

    • Will it ever end?

      If it does, so too will Slashdot.

    • Re:Crank Up The Flamethrowers (Score:5, Funny)

      by eggoeater ( 704775 ) on Friday September 30, 2005 @02:27PM (#13687800) Journal
      Than add another 100+ comments on your comments on how many comments we have and we'll have even more comments.....

      ...and then theres the comments on the comments on the comments....

      ...no...it will never end....especially after the dup story is posted tomorrow.
      • We'd save a lot of comments if we avoided making comments on how many comments we'll have, avoided making comments about comments about the number of comments, and mostly importantly, avoided comments saying how much less comments there would be if the previous two comment types were avoided. Ermmm...

        On a more serious note, just because posts like this usually devolve into a browser flamewar, I can say that personally as a web developer, news posts about browser exploits are some of the most important to
    • The same can be said about any political party discussion or FEMA, Louisiana, Missisippi, and Hurricane Katrina. None of this stuff will ever end as long as people continue to harbor opinions. Opinions are like a$$holes. They both squirt $hit.

      But you're right. I'm sure everything below will turn out just like you predicted.

    • ActiveX (Score:4, Insightful)

      by QuaintRealist ( 905302 ) <quaintrealist@@@gmail...com> on Friday September 30, 2005 @02:45PM (#13687962) Homepage Journal
      The fundemental premise of your post is correct - no one flaw proves a browser is "better" than another browser, and flamewars ensue from these flawed comparisons. Nevertheless, there is an underlying problem with IE: ActiveX. This is yet another example of how Microsoft, wanting to "kill" a more open product (Java), has introduced it's own, flawed, "standard" which causes its own problems. In this case, ActiveX is not secure and cannot be made reasonably secure, and this is the problem many of us have with IE.

      • Re:ActiveX (Score:3, Informative)

        by Ucklak ( 755284 )
        That is one of the best comments about what the problem actually is that I have ever read.

        I would say that the ActiveX and CSS are my two main headaches with IE. The other would be the lack of tabbed browsing but I don't use IE.

    • I think that the only reason post like this one garner so much discussion is because the web browser has become (arguably) the most important program on the PC. Not only is it used for certain parts of the operating system, but I'm willing to bet my reputation that almost everyone in those 1000+ comments are using one of the browsers being discussed to discuss.

      Until the web browser evolves or is replaced, this kind of conversation is unavoidable.

    • But on a slightly brighter note, I'm glad to see something that isn't trying to overhype Firefox as the next big security risk.

      That has to be worth something.^_^

      Honestly though, I agree with your prediction, but I'm still a fan of reading reports like this (as long as they're good ones) because they at least have the capability to inform people (i.e. don't use practice $foo, or this is what caused that problem last week, etc.), and not just incite riots on the message board.

      They're just reporting it, we're
    • Goggle "Internet Explorer Firefox security comparison"

      The Goggle, it does nothing.

    • Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.

      And if you're lucky, you get a few "this isn't really a security hole" posts.

      This isn't really a (significant) security h

    • Yes, but this stems from Microsoft's Active X crap and AJAX. If MS didn't use ActiveX for things like this it wouldn't so bad!

    • Re:Crank Up The Flamethrowers (Score:2, Funny)

      by Anonymous Coward
      Let me finish this discussion right here, right now:

      Nazi.
    • Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments.

      Yes, and that would be plain wrong IMHO, and it would just tell me that these people either don't keep in touch with computer security well or are plain blind zealots not seeing that few modern browsers, if any, have been "secure" in the meaning of the word "not getting serious exploits".

      What I think
    • It's 5:13PM here, and after a lot of posts, I haven't noticed much flaming going around. Perhaps we've come to the terms where "IE vulnerability found" isn't news anymore. On the other hand, finding a Firefox vulnerability _IS_ news, and makes it a more fertile environment for flamewars.
    • are you subscribed to Sloshdat? Get a life man.

  • What about (Score:4, Interesting)

    by temojen ( 678985 ) on Friday September 30, 2005 @02:25PM (#13687759) Journal
    Same-source policy? Couldn't this only be used to attack the server that the script came from?

  • You gotta love this part (Score:4, Insightful)

    by cc-rider-Texas ( 877967 ) on Friday September 30, 2005 @02:27PM (#13687788) Homepage
    Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.

    Security through obscurity, yeah right. IMHO this just makes Microsoft get on the ball and do something about the problem rather than putting it on the back burner since "nobody would know about it."

    • Re:You gotta love this part (Score:5, Insightful)

      by dajobi ( 915753 ) on Friday September 30, 2005 @02:38PM (#13687899)
      That's not security by obsurity. That's "at least give us a chance to fix it before you tell the crackers." The Mozilla guys tell exactly the same tale.
      • The problem is that this approach does not always work. It works for Mozilla because the community is conscious about security over there, but if you look at the endless list of cases when a vulnerability researcher reported a flaw to Microsoft only to have the issue swept under the rug for a half year, then the immediate full public disclosure is the only method which works when dealing with that kind of company.
        • if you look at the endless list of cases when a vulnerability researcher reported a flaw to Microsoft only to have the issue swept under the rug for a half year, then the immediate full public disclosure is the only method which works when dealing with that kind of company.

          "That kind of company", eh? I see.

          What's wrong with notifying Microsoft about the flaw immediately, explaining that you will be making a full public release in 3 weeks? That gives them time to make a patch, release it, and hopefully a l

      • Re:You gotta love this part (Score:5, Informative)

        by SoccerManUNLV ( 827697 ) on Friday September 30, 2005 @03:23PM (#13688323) Homepage
        I guess you never read the story on ZDnet about a month ago, and MS was "looking into it". Apparently this does work and yet MS dropped the ball again, nothing knew, just expected sooner.
      • It *is* kind of security through obscurity. Disclosures a Good Thing. It gives the heads up to the people who have to manage this stuff. However, no usable exploit or even full details should be released until the company (this time MS) has had time to fix the problem and issue a patch (unless they're being lazy and unco-operative). The users need to know if there's a problem, just incase a malicious person notices the same vulnrability.
    • Without reading the article, I'd guess that the reporter decided to disclose the hole in IE quickly instead of giving Microsoft a month or two to fix it because the same hole was just fixed in Firefox and thus fresh in the mind of anyone who wanted to look for IE holes.
    • "Security through obscurity, yeah right."

      And your Social Security number is:
      103-56-2245

      Your mother's maiden name is:
      Greene

      Your Visa Card number is:
      4364-3343-1203-3096 (exp. 10, 2006)

      Sometimes security through obscurity isn't necessarily a bad thing -- it isn't always the case that just because an exploit exists, that it necessarily should be publicized.

  • Dupe? (Score:5, Funny)

    by P0ldy ( 848358 ) on Friday September 30, 2005 @02:27PM (#13687793)
    Am I wrong or haven't we seen this story before?

  • Spoof-based? (Score:5, Funny)

    by Limburgher ( 523006 ) on Friday September 30, 2005 @02:27PM (#13687794) Homepage Journal
    So, like, Spaceballs could compromise my boxen?
  • I'm sure MS will patch this withing 6 months to a year, so what is everyone worried about??

    Ok, sarcasm off.

    I can't believe the firefox revolution is slowing...

  • AJAX (Score:1)

    by bfioca ( 695852 )
    Cue a flow of comments on how AJAX isn't secure/safe/etc. But we already knew that, didn't we? Personally, I'd be glad to see AJAX take this kind of hit. Keeping cross browser compatibility is hard enough as it is.
    • And I was just going to start learning AJAX. Sounded like a nice way to get some fat client capabilities. Like all things, maybe a little too good to be true.

  • Here come the pre-packaged sound bites. . . (Score:5, Funny)

    by EraserMouseMan ( 847479 ) on Friday September 30, 2005 @02:30PM (#13687835)
    "Yea, but it hasn't even been exploited yet! It doesn't count unless it's been exploited, right?"

    "I bet there will be a fix out within 24 hours! Exploits don't count if they are fixed quickly, right?"

    "I don't care if they find a thousand exploits; I still won't use IE!"


    Oh, wait . . . I thought the article was about another Firefox exploit. Nevermind.
  • "Fully-patched computers running Windows XP with Service Pack 2 and Internet Explorer 6.0 are vulnerable to this issue, security monitoring company Secunia said in an advisory. Secunia rates the problem as "moderately critical" but says people can avoid the risk by not using Microsoft products anymore."

    When will people get the message?
  • XmlHttpRequest is the javascript object that allows for asynchronous communication between your web browser and a server located elsewhere on the internet, i.e. the first A in AJAX.

  • Let the IE/FF comparisons begin (Score:5, Informative)

    by Viper Daimao ( 911947 ) on Friday September 30, 2005 @02:35PM (#13687875) Journal
    I'll start with the securia site.

    Internet Explorer [secunia.com]: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.

    FireFox [secunia.com]: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.
  • Another day, another browser exploit. When will the madness end? On a side note, TGIF!

  • No big deal... (Score:5, Funny)

    by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Friday September 30, 2005 @02:47PM (#13687981) Homepage Journal
    Microsoft doesn't consider spoofed customers to be a problem, so this doesn't classify as a security problem.

    :-}

    (I really do wish it was completely a joke)

  • Amateurs... (Score:5, Funny)

    by tktk ( 540564 ) on Friday September 30, 2005 @02:48PM (#13687995)
    I just read the page source and render the pages in my head.

    There's no chance a spoof attack would ever wo.df&^3478adf@$%%

    /*User dead*/

  • .. Amit Klein wrote? Unknown, because one article mentioned in the summary contradict other. C|Net's one talks about JavaScript component but Secunia says that vulnerability was discovered in Microsoft.XMLHTTP ActiveX control.

    I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

    • Re:So what exactly.. (Score:4, Informative)

      by Bogtha ( 906264 ) on Friday September 30, 2005 @03:03PM (#13688129)

      I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)

      You only have to write Javascript to use it, but that doesn't change the fact that the XMLHttpRequest object is provided by ActiveX, and if you switch off ActiveX, XMLHttpRequest stops working.

      This will change in Internet Explorer 7, which implements XMLHttpRequest as a native host object in the same way as other browsers. There's some discussion of this on the IE Blog. [msdn.com]

    • IE does use ActiveX for XMLHTTPRequest, but only to instantiate the initial object, after that you can manipulate it using JavaScript, like in any sane browser.
      • Nah, every object in the HTML DOM and the XML interfaces are based on COM/ActiveX. The Microsoft JScript implementation makes a IDispatch object available. The only issue here is that there is no way to get to the XMLHttpRequest object except for giving the COM ProgID directly in a call to create an object instance.

  • There Goes Someone's Weekend (Score:3, Funny)

    by usacoder ( 816957 ) on Friday September 30, 2005 @02:52PM (#13688020)
    Should be another quiet weekend in Redmond while Microsoft fixes this one.

  • Cross-Browsing (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Friday September 30, 2005 @03:01PM (#13688093) Homepage Journal
    I use IE only when a page won't open/display/work correctly in Firefox. So I already know (AFAICT) that the page I'm viewing is "really" the page I think it is. I wish there were a plugin that added an "Open Link in IE" context menu item. And even better to somehow add a "Return to Firefox" option that opens a link or reopens a page from IE to Firefox, to get back to Earth from Purgatory.

  • How awful is the IE codebase? (Score:5, Interesting)

    by CyricZ ( 887944 ) on Friday September 30, 2005 @03:03PM (#13688120)
    After recently working with the Mozilla codebase, I'm surprised that flaws aren't found more often. To be honest, it's a very complex beast. Perhaps overly complex. The worst part, however, is the outdated documentation. It displays the sort of attributes that often lead to bugs and security flaws.

    Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.

    Perhaps somebody with experience with both could, assuming NDAs don't get in the way, describe how the quality of the two codebases compare.

    • Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.

      We were wondering the same thing and recently sent a Mozilla developer to work undercover at Microsoft on the IE dev team to check this out.

      The doctors assure as as soon as he stops drooling he should be able to write up a report.
  • This is why I have my mom running Firefox on windows, and for those who will say FF has vulns, yes, they do, but with the 'auto-updating' option on 1.5 it will change that view. No one (save for us geeks) want to reinstall software all the time; most of the time if it works, they're not going to upgrade. 1.5 will 'auto-update' the bits to keep the browser secure, and I'm sure it will continue to while the browser moves to 1.6 and beyond.
    • They say firefox has it "bugs" to, and Im sure it does, but (as what happened yesterday), you dont have to worry about removing a yahoo popup blocker, only to get some sort of trojan that downloads 9999999 pieces of spyware, including stuff that "detects" a virus. ultimatly the comp continues to freeze on startup, and blah blah blah.....

      "This public disclosure potentially puts computer users at risk," the Microsoft representative said." - I would say it WARNS users (even though most wont listen) Its kind
    • This is why I have my mom running Firefox on windows, and for those who will say FF has vulns, yes, they do, but with the 'auto-updating' option on 1.5 it will change that view. No one (save for us geeks) want to reinstall software all the time; most of the time if it works, they're not going to upgrade. 1.5 will 'auto-update' the bits to keep the browser secure, and I'm sure it will continue to while the browser moves to 1.6 and beyond.

      To be fair, Internet Explorer is also "auto-updated" through automat
  • The yet to be released IE 7.0 has a lot of features. Majority of them stolen from firefox. And it was amusing to see that it looked just like firefox in appearance.

  • Incorrect title (Score:4, Informative)

    by Anonymous Coward on Friday September 30, 2005 @03:11PM (#13688196)
    The problem is with the proxy servers, not IE.
    Read the paper [cgisecurity.com]

    Yawn...
  • I rate this flaw '-1 Redundant'.
  • JavaScript... in Internet Explorer?

    Don't you mean "Jscript" ? :p

  • WHAT?!?!? (Score:3, Funny)

    by artemis67 ( 93453 ) on Friday September 30, 2005 @03:38PM (#13688474)
    IE is flawed?

    I don't believe it!!!!
  • Is this perchance related to the patch Microsoft pulled this month - the "Critical" (their rating) IE patch that MS announced, then decided it needed more testing?

    Whenever I see fairly coincidental timing regarding related subjects, it makes me wonder if they're really coincidental.

  • Spoofing, to me, seems intrisically a social engineering attack, not so much a flaw in the application.

    Designing applications (be it Internet Explorer, Mozilla/Firefox, Safari, Opera, etc.) can only provide ways to make identifying spoofs easier, reducing the risks. But I contend applications can never nail every thing down so tightly, considering the wide range of sites users could visit. If your design requirement is "The most foolish user must never be fooled by the most clever phisher anywhere, ever, i

  • I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.

    The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:

    httpbridge.php:
    ---------------

    so if you want to get content from google in javascript:

    var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP
    • The code sample you give would have to be put on the server by a server admin which is, as you say, common practice.

      The code described in the article runs in the browser which thinks that the current page and XmlHttpRequest response are from the same server (standard XmlHttpRequest security number 1), but in fact they are not. That's the cheat. Combined with a proxy server, that means that a page served by www.attacker.com can access data from www.victim.com, which should never be permitted.

      Justin.

  • What;'s funny... (Score:3, Funny)

    by leshert ( 40509 ) on Saturday October 01, 2005 @11:03AM (#13693513) Homepage
    ...is that stories like this could be duplicates, and you'd never know it.

Slashdot Top Deals

"I've finally learned what `upward compatible' means. It means we get to keep all our old mistakes." -- Dennie van Tassel

Close