New IE Zero Day 305
RebootKid writes "Microsoft has released a notice about
a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"
Merry Xmas (Score:1)
Merry Xmas
Re: (Score:2)
Well, you can get the IE patch here [google.com], and the Windows patch here. [google.com]
Re: (Score:2)
Re: (Score:2)
I know that (about security) and I never said otherwise. Go, read again, did I say anything about Debian/Ubuntu being intrinsically more secure? No, I didn't say that.
I am being modded troll because people read way more than what is written, and also because they think rating negative is synonymous of 'I disagree'.
I just reported one fact. I could have added that my parents' computers are also virus free for about 5 years now with Ubuntu, for the relief of my brother, that was the previous Windows maintaine
Re:Merry Xmas (Score:5, Insightful)
And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.
The quality of discussion on this site is taking a nosedive lately. I think phony "debate" talkshows and the demagoguing occurring in politics does a lot of damage by repeatedly presenting invalid processes as though they were legitimate or useful. I'll spell it out right now, the dishonest tactics used on shows like that and commercials like that are designed for one purpose: so the host or politician can "win" and "be right" no matter how right or wrong he/she actually is. It's rhetoric, not debate.
I'll give a rough outline of how this most often plays out on Slashdot. My goal is to demonstrate how petty and useless it really is:
It boils down to what kind of man or woman you are. To some people, the truth is more important than winning and any winning that does happen is not legitimate if it is not rooted in truth. To many people, winning is more important than the truth and lying, distorting, misrepresenting, are all acceptable as long as you win and the other guy loses. The latter group will never know what it means to say "you know, that's a really good point, it made me think about this differently, you changed my mind about this -- thank you!" for that would mean losing face, or so they imagine.
What does this have to do with the subject at hand? I'll explain. For every 500 times I've seen someone say "if you think Linux automagically protects you from malware", I think I've seen maybe 1 time that anyone actually made that claim. This strawman has been beaten so severely it's reverted back to a small pile of hay. It's time to let it go, no matter how otherwise trollish somebody else has decided to be (and he was -- I don't dispute that, but this BS compounds that problem).
The GP said two things. He said he has run Debian and/or Ubuntu for the last 10 years. That's not absurd or beyond the realm of possibility. So ok, I believe him. He also says he has experienced no malware during those 10 years. That's strictly a matter of his competence as a Linux admin, skilled admins exist, and it doesn't take a particularly high level of skill to achieve that. So that's not absurd or infeasible either. Ok, I believe him on that one too.
Now hear this: he did not claim that Linux automagically did anything. I realize some people have said that -- if you want to do something about it, locate and deal with those people. What you're doing is assuming he must be just like them because he wears the same kind of tie. Until and unless he makes the same claims, he is not just like them. If he trolled a little, you said "oh yeah, watch THIS" and showed him how it's done.
Re: (Score:1)
That sounds like what happens each time Windows 9x comes up in any IT discussion.
Re:Merry Xmas (Score:5, Funny)
Windows 98 was fourteen times the operating system that Windows 7 is.
Re: (Score:2)
and me without my mod points :(
Re: (Score:3)
Put the chair down, Steve.
Re: (Score:3)
I don't know about him, but I sure am jealous of not having an OS that will only run a tiny library of poorly written, half-assed software
*shrug*
I don't usually reply to trolls but...
Mind you that people writing open-source code do it for fun and recognition. Writing "half-assed" code seems something that a paid employee could do since they have deadlines to meet and other more important objectives to worry about than writing "clean-code". Also, the very nature of *open*-source code makes it more vulnerable to third party quality checks and peering.
If you never tried to push code into kernel.org, gnome, kde or any other big opensource project
Re: (Score:2)
APK!
Wait, what's APK?
Dude. Relax, have some eggnog. Put your feet up on that stack of computer magazines and take a deep breath.
This is the internet. Either you're trolling, or the person you're yelling at is. Either way, relax.
Re: (Score:2)
Yes, I can do that. 8 wget invocations to get the data, cat the 8 resulting files into sed 's/[[:space:]]/\t/', pipe into sort, pipe into uniq. Job Done. Why does your program take 20 minutes to do this very, very simple process?
But his is written in Visual Basic and has pretty ASCII art in the title bar!
Re: (Score:2)
Alexander Peter Kowalski, going on a tirade because somebody actually had the audacious nerve to NOT REINVENT THE WHEEL!
Tell me, Alexander Peter Kowalski, what operating system do you use? Did you write it yourself? HA. I’m betting your own precious program made some system calls to CODE YOU DIDN’T WRITE, too!
Re: (Score:2)
I’m not “clone53421”, learn to read moron. And that wasn’t my script, I just stepped into the fray to let everyone know you’re a full retard.
Re: (Score:2)
I corrected you by showing you HOW/WHERE/WHEN/WHY your already blown code won't work on HOSTS file data import & conversion
That wasn’t me, you dense fucking ass. I’ve told you it wasn’t me, and the guy who wrote it has told you that I’m not him. How much more clear could we make it?
Re: (Score:2)
Nobody shows up that late into a discussion like this
I did. Your argument is invalid.
Re: (Score:2)
Again: You obviously "slipped" when you hit the submit button this time - instead of replying "AC" as you can!
I’m replying to you under my username on purpose, you dimwit. That’s the only way I can make it obvious that I’m not the same Anonymous Coward that you’re currently foaming at the mouth over.
And I never got banned at any PCReview forum, and the link you’re posting doesn’t even work. I don’t know what you’re off on this time, but it appears to be a load of garbage as usual.
Re: (Score:2)
NOBODY comes in this late into a post this deep, & replies, unless they were here already!
I’ve been here all along. I just haven’t been posting until recently. But don’t let that stop you from blathering your drivel.
Despite your stating initially "your code" (script that uses others' work really) works right
For the last time, that wasn’t me. I don’t even use Linux and wouldn’t have the slightest idea how to write a shell script like that. I’d have to completely teach myself shell scripting to even begin, and that much effort would be stupid just to win an argument with you.
Re: (Score:2)
You can e-mail the admins if you like, and they can verify that the script was not posted by me.
I’m done arguing with you, anyway.
Re: (Score:2)
You’re obviously too scared to e-mail the admins, who will just verify what I already told you.
Terrible, terrible and juvenile summary. (Score:4, Insightful)
If you felt the story was newsworthy, I have no doubt that it was submitted in a form that was better than this one, or that you could have re-wrote it.
Re: (Score:2)
But it makes fun of Microsoft... Isn't that all we need. If there is a bug in Microsoft we celebrate.
Re: (Score:1)
It was submitted in a better form, and I gave that one + and this one -.
Bad:
http://slashdot.org/submission/1426606/MS-warns-over-zero-day-IE-bug [slashdot.org]
This one:
http://slashdot.org/submission/1426648/New-IE-Zero-Day [slashdot.org]
The other one:
Can't be found, probably because it was submitted later? Or something, was better though, dunno why they have removed it from firehose? Same URL and this one got submitted = fail?
Re: (Score:3, Informative)
I don't see anything wrong with the summary. It inserted some comic relief & levity, but still got the message across. Just as that comedian does on Comedy Central's daily news show.
Re: (Score:2)
Great. Now I need to buy a digital cliche meter. This summery of this story nearly caused my mercury cliche meter to burst.
Re: (Score:1)
Typical of the author
Re: (Score:1)
Re: (Score:1)
Yeah, well, posting 5 sentences of "MICROSOFT R TEH SUX LOLOLOLOL WHO WANTED 0-DAY FOR XMAS LOLOLOLOL" doesn't really convey that impression to me.
Re: (Score:2)
I vote you the /. user most likely to snag the 2 millionth UID.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
IE9 is safe (Score:1)
or at least it's not on the list.
Re: (Score:2)
That's what tickled me. If you believe the hype, every new version of IE is just that, new. Why then does is exploit like this for "all versions of Internet Explorer" except, as you pointed out, IE9?
If there is a really good (technical) reason for this, I'd like to hear it, because it kinda intrigues me that this is possible... kinda like the sharing vulnerability that Win98 had, XP did not have, and then Vista, Win7 and Server 2008 had.
Re: (Score:2)
That's what tickled me. If you believe the hype, every new version of IE is just that, new.
Can you give examples of said hype? I think it's pretty well known that IE engine did not have a grounds up rewrite for a long time now. Nor was it ever claimed or hinted otherwise by MS.
Misleading report (Score:1, Informative)
Microsoft is not being entirely straightforward in their report. This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)
Re: (Score:3, Interesting)
Referece? The CVE description says:
Re: (Score:2)
You are misunderstanding that article. The article is not saying that the vulnerability is in mscorie.dll, but that the exploit uses the non ALSR'd mscorie.dll because the base addresses are known.
The vulnerability in mshtml.dll allows the exploit access to mscorie.dll, which is not protected because it cannot normally be accessed remotely in this manner.
This is like saying there's a vulnerability in a banks safety deposit boxes because the vault itself let people with specialized tools capable of breaking
Elves... (Score:1)
Just don't put this on the Christmas Elves or Elf Bowling sites.... Let's see, risk factors:
* Tech-clueless relative just got their first computer for Christmas. "Chooses" I.E. as browser. Drawn in by Elf Bowling. There's a virus on your computer, click here!
Oh, man....
And related to what an earlier poster said, why is it that we need to use Internet Explorer in order to update our Windows boxes? I still find that a little bit anti-trust.
To borrow from 2001: My God--it's full of holes!
Re: (Score:1)
Slow news day? (Score:1)
Is it a slow news day? ;)
Next you are going to say there are some unpatched vulnerabilities in IE.
net zero; +1 MS -1 for MS (Score:5, Informative)
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
What security features can you add with EMET?
Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)
Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?
The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg [tinyurl.com]
Re:net zero; +1 MS -1 for MS (Score:5, Informative)
DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.
I can attest to that (Score:4, Interesting)
When I went to a 64-bit OS I decided I'd force DEP on. Windows actually has 4 DEP modes: always off, always on, opt in, opt out. It just only shows the opt in and opt out choices in the GUI. So I turned it on. After all, this was some time since DEP had come about, figured things would be fine.
Wrong answer. Tons of apps bombed on DEP errors. Seems lots of apps like to execute from memory they forgot to mark for code. I tried the opt out mode for a bit, figuring that I'd just add the apps that were problems, but it got to be too much since you have to do it by hand (there isn't an "add exception" button in the error or anything), some apps had multiple sub apps that had to be added, and of course it isn't like apps would always just fail to execute, sometimes they'd run fine until you were in them and working, then bomb (audio apps with plugins were notorious for this).
So now my computer is in the default op in state, meaning only apps that ask for DEP get it. Not as secure, but such is life. Good news is as far as I can tell all my apps that run at any privilege above user DO use DEP so that's nice.
Re: (Score:2)
I think you just hit on the most major feature that MS left out. What is needed is a balance of usability and enforcement. One needs enough enforcement so that the developer will hear about the issues and have the incentive to correct them, but not so much that the user is prevented from getting the application to work properly. Wouldn't it be great if MS used a click through message to both correct the problem and to also notify the developer?
Re: (Score:2)
Exactly! When MS came out with NT, and protected mode Win32, a lot of programmers had to straighten up and fly by MS's new rules, and things improved greatly. They are still bad, but much improved. The problem is MS is not trying to get them to fix their own problems and therefore MS suffers an image problem that needn't be. If MS said, "this is the way things are, you have X months to make it work under the new rules" then the third pa
Re: (Score:3)
Re: (Score:2)
I came in one weekend and turned it on on my workstation and debugged everything I knew how to run (I was the new kid on the bloc
Re: (Score:2)
If the code path is randomized in anyway these developers get all flustered. None of them would invest in writing sanity check and audit methods.
How did the software industry get to the point where it's legal to not have sanity checks in today's hostile Internet environment? If the building industry had a similar standard of construction, millions of people would be dead and there would be lynchings.
I presume the answer has something to do with the secrecy of proprietary software development and that it's impractical to enforce any kind of standards compliance, especially when many software 'standards' only exist as bugs-and-all implementations? But
Re: (Score:2)
While it's unfortunate that the exploit writer could find something that isn't ASLR'd and use it as a jumping off point, it's not really the flaw here. The flaw itself is in MSHTM that allowed access to mscorie.dll.
DEP is a great tool, but it can't be used for everything. Same with ASLR.
Re: (Score:2)
It's sing-a-long time! (Score:2)
Botnets! Worldwide botnets!
What kind of boxes are on on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes! Found on botnets!
All running Windows. FOO!
Why, yes! Yes I Am a smug, OS X using bastard!
How kind of you to notice!
Before we all start the bashing.. (Score:2)
It is also important to take note that IE is the second most secure browser after chrome, as it is the only one to make full use of WIC(Windows Integrity Controls), although does not have the sandboxing that Chrome has.
Re: (Score:2)
Umm.. ok. If you mean "sandboxing as chrome has" rather than "sandboxing, as chrom has". IE has protected mode, which is a form of sandboxing. Not the same as chrome, but they both have sandboxing. Chrome doesn't do what IE does either.
Re: (Score:2)
Re: (Score:2)
A few things of note here.
1) If there is a Zero Day for those other browsers, one can usually switch to another browser because I use all four. Average mom and dad users, may not be possible.
2) Because IE is tied so closely to the OS called Windows, it is much easier to exploit, because it requires less guessing of the OS. And with IE 9, it requires no guessing. That, by itself makes the exploit that much more difficult to block.
3) When Firefox or Chrome get zero days, the time for the fix is usually a day
Re: (Score:2)
2. IE Makes use of WIC, and is quite a bit more secure than FF or Opera because of it
3. Microsoft issues critical patches out of cycle, so that also isn't an issue.
Re: (Score:2)
Then why are all the users that use IE on my network getting infected with crapware, while Chrome and FF users don't?
Re: (Score:1)
With that said, I still use IE often, even though Chrome is my browser of choice. Don't get me started on Firefox. If malware can be defined as an app that sucks every last megabyte of usable RAM, then Firefox is malware.
Re: (Score:2, Insightful)
I don't use technology X and therefor nobody else does! LALALALALALA NOT LISTENING
Re:Okay, here's a question ... (Score:5, Insightful)
And this is noteworthy why?
Because a significant number of people on Slashdot are security geeks and enjoy learning about exploits, or are sysadmins that manage at least some machines where the users can get to IE.
Re: (Score:2)
And this is noteworthy why?
Because a significant number of people on Slashdot are security geeks and enjoy learning about exploits, or are sysadmins that manage at least some machines where the users can get to IE.
Or you work as a lowly developer or IT Grunt Technician a company where you are pretty strictly IE only - based on policies set forth by Vice Presidents who don't know how technology works.
Re: (Score:3)
Or have a relative who is guaranteed to get all the latest malware, and will have to remove it while home for the holidays.
Any ideas on how I can get out of it this year?
Re: (Score:2)
Start charging.
Re: (Score:2)
This year? No. Next year? Sure.
Make their account a limited user account only.
Change the admin password, and don't tell him/her what it is.
Enable the Remote Assistance feature just in case it's absolutely necessary.
Set anti-virus to be updated automatically, and make the schedule locked to anybody but admin. In fact, turn off all AV controls to non-admins except for "run a scan now." MSE can do this, by the way.
Do the same for Windows Update (force it on, don't let a non-admin turn it off).
Works best on Vis
Re:Okay, here's a question ... (Score:5, Insightful)
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Firstly, a serious security vulnerability in a popular (for whatever reason) software tool is always noteworthy, if just for the fact that it's interesting. Secondly, the overall state of IE is large enough to affect everyone in some way or another. And finally, numerous people here administer systems or have friends and family that may run or require Internet Explorer, and such a bulletin could certainly prove useful to them to prevent this attack from damaging those they (are paid to) care about.
It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)
I've met smart people who think that Internet Explorer is the Internet. They don't know or care what a browser is. Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible; without a long explanation, they will never like the idea of switching from something that is (or appears to be) working to something different.
Approaching someone and taking the time to explain the situation and answer their questions is the only way to make a transition sit comfortably with them. Unfortunately, people "in-the-know" don't have the time or desire to address the remaining population. The best effort I've seen to address the non-technical public is Google's "get a faster browser" button on their home page, and even then I've heard those who say "well, mine is fast enough". Someone has to explain things and answer their questions.
I've encountered pretty popular attitude that viruses only exist on shady websites (e.g., gambling, and porn) and that caring about or addressing security is not only unnecessary, but also an admission of one's intention to visit such sites. Once again, the only way to break past this is to take the time to sit down, explain things, and answer questions.
Short of prosthelytizing nerd squads going door-to-door, there's not much that can be done. Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers, and they are wholly responsible for keeping their shit together. Maybe someone should sue them for damages.
Also, keep in mind that serious flaws have been found in Firefox, Safari, and Chrome. IE, like Windows, is targeted more heavily than other browsers due to its market share. If IE is ditched en masse, I would bet money on the number of flaws in other browsers growing significantly higher. This doesn't absolve Microsoft (see previous paragraph), but it does suggest that the problem is larger than IE and attitude.
Re: (Score:1)
Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,
Wha? Since when did Microsoft "lock out" other browsers?
Re: (Score:3)
Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers,
Wha? Since when did Microsoft "lock out" other browsers?
Sorry for the ambiguity; I was referring to locking them out of the browser market via aggressive pushing, default installation in the most popular operating system, IE-only web sites due to standards deviations, inseparable integration with the host operating system, and use of (at the time) Microsoft-only APIs for optimizations, plug-ins, and media capabilities. People always have had a choice, but Microsoft used every bit of their considerable influence and position to make that choice for them, causing
Re: (Score:3)
Ah, I agree.
The cynical person in me would say that the dominance of IE is at least half of the blame on Mozilla's disastrous decision to re-write Netscape from scratch, resulting in them having literally no way of competing with Microsoft. (It's also telling that IE won against Netscape on the Macintosh, a platform which wasn't subject to the biases you mentioned.)
I mean, if you want Microsoft to write good software, you need to compete with them-- that's just how it works. No competition to Microsoft = no
Re: (Score:2)
Ah, I agree.
The cynical person in me would say that the dominance of IE is at least half of the blame on Mozilla's disastrous decision to re-write Netscape from scratch, resulting in them having literally no way of competing with Microsoft.
You fail to mention that Netscape (4.x) was in no way or shape capable of beating IE. It was a pile of crap. IE went into dominant position because it was a so much better browser starting at IE4.
(It's also telling that IE won against Netscape on the Macintosh, a platform which wasn't subject to the biases you mentioned.)
Well, this is not the case anymore. Again, they won because they had no worthy competition.
I mean, if you want Microsoft to write good software, you need to compete with them-- that's just how it works. No competition to Microsoft = no effort from Microsoft.
But they did make lots and lots of efforts to wipe Netscape out of the map. They did succeed because Netscape had such an horrendous product AND because they did all they could for it to go away, not counting technical superi
Re: (Score:2)
You fail to mention that Netscape (4.x) was in no way or shape capable of beating IE. It was a pile of crap. IE went into dominant position because it was a so much better browser starting at IE4.
Yep, I know (for example, the CSS/JSSS fiasco). But I think the argument here is that even if the rewrite was necessary, Netscape could have released a 5.0 version based on the old codebase in the meantime to compete against IE5.
Re: (Score:2)
Netscape 4 was not DOM based. There was just no way to make it competitive against the beast that IE was at the time.
Let's make a car analogy, it's been a while. If you have a 1995 Toyota tercel and are about to start a race against a Corvette, new tires or a new carburator ain't going to change much. What you need is a new car.
Ahhhh... Car analogies makes me feel good.
Re: (Score:3)
No, you haven't.
Re: (Score:2)
No, you haven't.
That's nothing. I know smart people who believe that AOL is the Internet.
Re: (Score:2)
No, you haven't.
Half the university staffers and a few professors I supported think all urls go in the search bar, no matter how small and inconspicuous it may appear right next to the main URL bar.
Must have something to do with browser GUIs giving you two textfields without distinct background color. Only geeks notice that "the one on the left is the one filled with text all the time... perhaps reading that text will contain something useful... ooh, it says facebook and i happen to be on my facebook." Nongeeks never read
Re: (Score:2)
We live in a highly specialised society. You can be highly intelligent and still not know squat about something you use in your everyday like.
While that is no doubt true, I'm wondering what happens to an advanced global technological society based on such high specialisation and the resulting relative general ignorance when it is combined with a rising level of cynical anti-social manipulation that leaves anyone not a domain expert in any given domain, wide open to fraud and abuse from 99% of the rest of a 7 billion person planet.
Guess we're going to find out real soon! Won't that be fun!
Re: (Score:2)
Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible
I think if a carpenter told me that the brand of hammer that I, a non-carpenter, was using at home had a tendency for the head to fly off the handle, I'd be pretty damned interested, and I'd be looking to buy a different brand of hammer.
And in a corporate environment, the admin may know that IE is a crappy browser, but the technically clueless middle manager kn
Re: (Score:2)
prosthelytizing nerd squads going door-to-door
Those would be people who aggressively evangelise the replacement of body parts, right?
"Mom! The Jaime Sommers Witnesses are here again! Do we wanna buy an H+ Magazine?"
Re: (Score:2)
Re: (Score:3)
When your aunt Bertha calls on christmas and goes "MY INTERNET IS BROKEN", i'll be able to go "ah yea, I remember reading about that on slashdot".
Re: (Score:2)
And then you go: "But Aunt Bertha, it's Christmas, I can't help you today."
Re: (Score:1)
Re: (Score:2)
If the software you're developing only works in IE, someone somewhere made a bad decision.
Ah if only it was that simple.. The company I originally developed software like this years ago when it was basically just IE or Netscape. They made it support both, thinking that those two would be used and supported forever. Well netscape died, and all that work going into supporting it was all for naught 5-10 years later. Because there are going to be bugs you see in one browser and not the other, and fully supporting additional browsers will require a lot of additional overhead.
Two years ago we st
Re:Okay, here's a question ... (Score:5, Informative)
Microsoft has released a notice about a new zero day attack against Internet Explorer.
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Weeellllll, that's the stereotype, sure, but the on-the-ground reality paints a different picture.
Surely you've noticed that Firefox 3.6 is up to its 13th point release since January,and #14 is just around the corner. The first Secunia security advisory for this browser was issued within weeks of its initial release, and there now have been 11 in total, covering 85 separate vulnerabilities in Firefox 3.6. Look at SA42517 for an example, which was published two weeks ago. In that one advistory alone, 13 different security bugs are addressed, covering a wide variety of attack vectors like large Javascript arrays and large parameters to document.write(). And when you look at the fixes made in source control to patch these bugs, you sometimes scratch your head and wonder, how the fuck did they miss that when coding it?
But the problem with Firefox is worse than that. On Windows and Mac OS X, users are prompted over and over again to install these point updates. It requires elevation to Administrator privileges, and it requires restarting the browser. I see people routinely ignoring these updates because it'd interrupt what they're doing..... and the web server logs I have access to are a mishmash of Firefox browser versions.
This is a browser with 25% of the worldwide marketshare -- more than any version of Internet Explorer save for version 8.
So.... how about Google Chrome, you say? Their patching setup is far superior (that's why I use it), but it's not like the browser is any better-written. Just this month there have already been eighteen disclosed security vulnerabilities. And that's only slightly worse than average for a month in Chrome land. There are actually a number of Google Chrome bugs which are marked as only affecting the Linux version, too. Look at CVE-2010-4041 for an example of what I mean.
What I'm trying to say here is this -- Internet Explorer's security profile isn't significantly different than the other major vendors. They all have poorly-coded browsers that focused on packing the features in, without taking due consideration to the safety of the code they're writing. If you want to single out Microsoft for criticism, let's talk about the fact that they take so long to get these fixes out, and that reboots are often required to get the patches in place. That's where Firefox and especially Chrome are ahead.
Re: (Score:2)
Speaking of Firefox security. Firefox has a ways to go in regards to the issue of unwanted pop-unders.
When visiting a website, even at the highest security settings, can [u]open another window unsolicited[/u], that's a security flaw.
Ron
Re: (Score:2)
Fine, let's not allow pop-unders, but can we leave in the ability to move windows to the front?
Re: (Score:3)
If its not being utilized yet, and the first notice came from MS, it is in no way a 0 day.
The vulnerabilities (there are two by the way) were first disclosed by WooYun.org although metasploit did not add modules until after MS's advisory. I don't know f it was exploited before it became public or not.
Re: (Score:3)
Zero day refers to how much time an administrator has to patch his systems before an exploit is known. Since this is still not patched, it is indeed a zero day exploit, although if the exploit is as yet unused it is not a zero day attack.
Re: (Score:2)
4. Super smart victim buys super good anti-virus updates with credit card.
5. Attacker make money, victim get protected. Everybodies win.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
But what kind of remote code do they execute, is it some kind of program already installed ?
Do they make you download some program and execute it silently?
The latter. A remote code execution exploit is one that can download some program and execute it without your knowledge or permission.
Does all these only works when victim has (good)firewall installed?
A good antivirus should prevent most stuff like this from getting its claws dug in. A firewall... maybe, maybe not.
Re: (Score:1)
4. Profit?
Re: (Score:1)
from the CVE:
Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted document.
Lols, use after free in C++, the best language to shoot yourself in the foot with once again.
Re: (Score:2)
It seems that the vulnerability in this case is unguarded recursion - something that can be written just as nicely in plain old C.
Re: (Score:1)
If you actually read the advisory, you would see that the default configurations of every new Windows OS released since 2003 have mitigated the vulnerability, making it either unexploitable, or useless to the exploiter (due to signicantly lower user rights of the exploited code).
So it only affects idiots who turn off UAC, or who are still running XP.
Yet time after time we hear from the peanut gallery that UAC is useless, that protected mode is pointless, that it's just security theater. Funny how every tim
Re: (Score:3)
I thought that zero day means that somebody uses it in a attack and it appears that it hasn't been known before the said attack. Public Disclosure automatically disqualifies it as zero-day.
Zero-day generally indicates that the attack is in-use (by bad guys) at the time that it becomes known by the vendor and/or the public (e.g., zero days for anyone to take steps to mitigate the damage). This is as opposed to a vulnerability that is only known to the public after it has been addressed by the software maintainer. "Zero-day" can also mean an attack that is still viable at the time of disclosure, though there is less significance in the specific choice of term.
Re: (Score:2)
Exactly what I thought...
Re: (Score:1)
I'll endeavor to work better/worse humor into future submissions.
*Note to self: Must work harder on pleasing all of the people all of the time*
Re: (Score:1)
>>>you are a troll
You sound like a 10 year old, except he usually says "you are a liar" or "you are an idiot" or "you are a dick" or some other insult. Point: It's still not acceptable to be going 'round name calling regardless of your age or justification.