Zero-Day IE Exploit Takes Control of PCs 567
anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."
This is why... (Score:5, Insightful)
Re:This is why... (Score:3, Funny)
Re:This is why... (Score:3, Funny)
Re:This is why... (Score:2, Insightful)
Re:This is why... (Score:5, Insightful)
This code (Score:5, Informative)
Re:This code (Score:3, Funny)
Re:This code (Score:3, Funny)
Re:This is why... (Score:4, Informative)
This is why... (Score:5, Funny)
This is why... (Score:5, Funny)
Re:This is why... (Score:5, Funny)
Re:This is why... (Score:3, Funny)
The phones are tapped.
US Mail, baby.
Didn't anyone see The Postman [imdb.com]
Re:This is why... (Score:5, Funny)
Re:This is why... (Score:5, Interesting)
Oh, wait, does windows even have anything like that...?
I'm not trying to start a flame war, I'm honestly wondering.
Re:This is why... (Score:5, Informative)
Re:This is why... (Score:2, Funny)
Re:This is why... (Score:2)
instead it was a pole.
Re:This is why... (Score:5, Funny)
Re:This is why... (Score:4, Funny)
Re:This is why... (Score:5, Funny)
Maybe anyway
Re:This is why... (Score:5, Funny)
Re:This is why... (Score:5, Funny)
Re:This is why... (Score:5, Funny)
You get used to it. I don't even see the code. All I see is blonde, brunette, redhead.
Re:This is why... (Score:3, Funny)
In Soviet Russia, the HTML render you!
Ouch. (Score:5, Insightful)
Yeah, me neither.
Re:Ouch. (Score:3, Interesting)
Re:Ouch. (Score:2, Insightful)
Thanks goodness browsers and the WWW got beyond academia because even with all the shit we have to put up with today (like this JScript exploit), the experience is far better and vastly outweighs the problems. Of course, there will always a small number of irrelevant people who like to portray themselves as elite by complaining about how the concept of the browser has changed. I rea
Re:Ouch. (Score:2, Interesting)
I may be a nerd, but I like to think of my page design [andreweckford.com] as "clean" and "fast-loading", thank you very much.
Re:Ouch. (Score:3, Funny)
Re:Ouch. (Score:5, Funny)
Result: Failed validation, 7 errors
Re:Ouch. (Score:3, Funny)
Re:Ouch. (Score:3, Interesting)
And I have a fast (1.8 GHz processor running Konqueror) setup and broadband. I can just imaging the difference if I was on an old sub-GHz machine or on dial up. I'm also using Konqueror. For the odd site that doesn't work (forcing me to resort to Firefox), the render time is substantially increased.
Re:Ouch. (Score:4, Informative)
Import a CSS on every page and you can get a nicer looking layout with little cost. "Small in size" and "fast loading" does not necessarily mean "default color scheme."
Re:Ouch. (Score:4, Interesting)
You don't have to design to the "lowest common denominator" if you use proper HTML 4.1 with CSS, but you do have to think about making a page that degrades gracefully. It's not really even hard - but thanks to IE and Netscape adding their own screwy tags + cheerfully accepting ill-formed HTML, web developers are among the laziest, worst informed developers around. Yeah, things sure are better now.
Re:Ouch. (Score:3, Insightful)
And as usual... (Score:5, Funny)
From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.
Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!
Re:And as usual... (Score:5, Funny)
This kind of thinking is extremely $sys$profitable irresponsible.
Re:And as usual... (Score:5, Funny)
My god, Sony have provided a viable Windows alternative to the old ^W^W^W^W *nix joke... it's worse than we thought!
Re:And as usual... (Score:5, Funny)
Huh?
Duh! (+1, informative) (Score:3, Informative)
The *nix joke "word^Wother" (also written "word^H^H^H^H") meant: i wrote "word", but repented and erased it (with one control-w or N control-h keys) and substituted it for "other".
The newly made Sony/Windows joke "$sys$word other" means: "word" becomes invisible and, just as in the unix case, I am saying "other" (when I really mean the harsher "word").
Funny thing is, it's not
Re:Duh! (+1, informative) (Score:4, Informative)
Re:Duh! (+1, informative) (Score:3, Funny)
I always get depressed as the nights draw in towards the end of Hextober; how about you?
Re:And as usual... (Score:4, Funny)
"I have seen the fnords..."
I
Re:And as usual... (Score:2)
1) Microsoft creates horribly insecure software with a lot of features. 2) People buy software, use it, and standardise on it. 3) Flaws are uncovered, but people can't move away from software because they need the features. 4) Profit!
Seriously, it's worked for IE (sites testing for IE only and declaring anything else as broken) and Office (people not moving away because Office has some random esoteric thing that they so badly need)
I'm glad to see that (Score:3, Funny)
Its important for MS to keep ahead in this area.
Re:I'm glad to see that (Score:3, Informative)
...or by not using Internet Explorer (Score:2, Insightful)
Re:...or by not using Internet Explorer (Score:5, Insightful)
Take Preinstalled Browser,
Add to Lazy User,
and mix in a healthy dose of Ignorance.
Alternate Receipe:
Take Preinstalled Browser,
Add Fear Of Change.
Despite having Firefox installed at home, my wife insists on MSExploder .... I think the linux migration time-table is getting shortened.
Re:...or by not using Internet Explorer (Score:5, Funny)
Buy sony cd,
install rootkit
rename Explorer to $sys$explorer.exe
Re:...or by not using Internet Explorer (Score:5, Insightful)
I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.
Why don't you people just try explaining the problems to your wife and get over it?
Re:...or by not using Internet Explorer (Score:5, Insightful)
It's very, very simple. People are stupid and lazy.
Is there a tenor in the house? (Score:5, Funny)
Ah, the Firefox of Opera - who is that, Pavarotti?
Re:Is there a tenor in the house? (Score:3, Informative)
Oh no.. (Score:3, Interesting)
No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!
Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw [idefense.com]. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.
Re:Oh no.. (Score:2)
Re:Oh no.. (Score:2)
Some things are riskier than others, the decision is to avoid behaviors that exceed your risk tolerance threshold. For me that's the case with IE, it's just too risky for me to use it. Firefox on the other hand is currently tolerable, the benefit outweighs the risk.
Gah! (Score:5, Insightful)
users do, but they're much further down the food chain
Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.
we'll get the usual set of arguments about browser and OS supremacy.
If something has fewer security problems, isn't it "superior" in that respect?
If you can't trust Lynx to be secure, then really nothing is secure.
Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.
What an inane comment.
Lynx (Score:5, Interesting)
Why? I haven't looked at Lynx recently, but Lynx used to be a very insecure
browser - Lynx code had lots & lots of Buffer Overflows.
Thank you (Score:5, Funny)
Re:Thank you (Score:3, Funny)
Give it 5 (Score:5, Funny)
Well, there might be no customer impact at this time, but seeing as the exploit is published now, can I ask you again in about 5 minutes?
Re:Give it 5 (Score:5, Interesting)
_uacct = "UA-32013-5";
urchinTracker();
Re:Give it 5 (Score:3, Interesting)
In other news (Score:3, Funny)
Nothing to see here - move along.
I hope this gets into a doubleclick ad (Score:5, Insightful)
That'd be SO funny
Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly.
Re:I hope this gets into a doubleclick ad (Score:5, Informative)
Make of it what you will.
set an ACL to stop this (Score:2)
Set access to deny permission to "everybody". Since "everybody" is special, that prevents even the admin from doing anything.
(then, of course, you use firefox)
good example of why Microsoft is bad at security? (Score:5, Interesting)
Re:good example of why Microsoft is bad at securit (Score:2)
Haha, low priority...
CVE link (Score:2)
"Phase: Assigned (20050601)"
IE hackers too busy trying to play catch up with firefox to fix non-critical bugs, maybe?
The good thing of all this is that since Microsoft only releases security patches on thursday - you know, "admins want predictability" and all that shit that some companies use and that lots of shitty admins believe - so you have a full week as minimum to exploit this on your web pages. Enjoy, IE users!
But if you disable Javascript... (Score:2)
Zero-day? No. (Score:3, Informative)
"Zero day" refers to publication of the exploit... (Score:2)
Re:Zero-day? No. (Score:2)
DUPE! (Score:3, Funny)
lazy story submitters (Score:5, Funny)
What, no link?
Re:lazy story submitters (Score:4, Informative)
Say goodnight, AJAX (Score:3, Insightful)
Re:Say goodnight, AJAX (Score:5, Insightful)
I’m safe! (Score:2)
*and other assorted open source terrorists
Browser? (Score:2, Funny)
Thank you (Score:4, Funny)
Now that you've RTFA, and you are now looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.
Happy Holidays!
MS anti-spyware utility will stop this (Score:5, Funny)
Hmm.... (Score:5, Funny)
Links (Score:3, Informative)
http://lists.seifried.org/pipermail/security/2005
http://www.computerterrorism.com/research/ie/ct21
http://www.computerterrorism.com/research/ie/poc.
Get the facts! (Score:4, Funny)
Re:Link to a copy? (Score:2)
Re:Link to a copy? (Score:4, Insightful)
So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?
Re:Link to a copy? (Score:4, Informative)
Re:Link to a copy? (Score:3, Informative)
Not sure if crashing the browser can really be called an 'exploit'. Slashdot headline writers on crack again...
Re:I don't care (Score:2)
So... an attacker who's pwnz3d your Windows installation can't then access the MBR, futz with your bootloader and pass the options of his choice to your Linux kernel at next boot time? He can't install rfstool on the sly and mount your Linux partitions and plunder your personal information you keep there?
Re:I don't care (Score:3, Insightful)
Why rob a bank? Because that's where the money is.
Why write viri for Windows/IE? Because that's where the users are.
-Rick
Re:I don't care (Score:3, Informative)
Would a worm do all that, or a clueless script kiddie? Probably not. As you say, there are too few dual-boot systems around. Bear in mind however that the Linux partition is still at risk from a malicious kiddie letting rip with fdisk.
But would a hacker do it? Yes, I think so. Especially if he'd just been
Re:I don't care (Score:3, Insightful)
You are implying that the person breaking the law has an average level of intellegence. Haven't you seen "Maximum Exposure", "Real Police Videos", or any of the other caught on tape shows. They prove one thing, most criminals are dumb. True, there are a few gems in the rough, but by and large, the criminal element of society is not the brightest bulb in the box.
"Where's the notoriety in this? Oooh. I hacked a windows box. I'm so l33t."
T
Re:The facts please (Score:5, Insightful)
Now, mod me whatever you want, but the info you provide should be FACTS.
Fact: A critical security flaw has been found in IE, and the SANS ISC is recommending that people use one of the "other browsers".
Howzat?
Re:The facts please (Score:3, Insightful)
Who knows how long other people have been exploiting this bug - potentially in ways not involving Javascript as well?
Re:Opera affected too? (Score:5, Informative)
Not affected. I've tested <body onload="window();"> and nothing happens besides JS console logging "Statement on line 1: The Object does not implement [[Call]]".
Re:My IE not at risk (Score:3, Insightful)
The damn data janitors around here forget their job is first to provide a useful network.
Re:Advice for not getting this virus (Score:3, Informative)