Slashdot Mirror

← Back to Stories (view on slashdot.org)

Controversy Surrounds Huge IE Hole

Posted by CmdrTaco on from the no-surprise-here dept.

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

41 of 740 comments (clear)

  1. holy crap by Protege108th · · Score: 2, Funny

    thats freakin crazyness.....hmmm wheres that mozilla download site again...

  2. The Wired, huh? by Millennium · · Score: 5, Funny

    The Wired talks more about bugtrack's handling of the whole thing...

    Dude; since when did Lain start writing technical articles?

  3. Thanks by DigitalDragon · · Score: 4, Funny

    Thanks for not posting a link to that page.

    --
    http://dtum.livejournal.com
  4. well.. by Sacarino · · Score: 3, Funny

    What may be MORE irresponsible is /. posting a link to Wired posting a link to the exploit for all the l33t script kiddies here.

    No, wait... there's no script kiddies here. Only hax0rz with K-rad XP boxen.

    --
    -- El Sacarino tiene gusto de la chocha
  5. A link to a working exploit by Anonymous Coward · · Score: 0, Funny

    here

  6. If you think that is an annoying bug, try this: by viper21 · · Score: 2, Funny

    http://www.onid.orst.edu/~boyechky/open.html

    I would rather have my hard drive formatted. -S

    --

    We Apprentice Developers and Designers
  7. huge hole... by mr_gerbik · · Score: 0, Funny

    The only huge hole I've seen in IE is at goatse.cx...

    -gerbik

  8. Re:Yes!!! by AresTheImpaler · · Score: 5, Funny
    It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable. In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

    Right in the point man. Now, I'm running the code right now to see if im vulne

  9. This Linux's big chance! by jvmatthe · · Score: 5, Funny
    "Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing."

    Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE! ;^D
    --
    Curmudgeon Gamer: Not happy
    1. Re:This Linux's big chance! by driftwood · · Score: 3, Funny

      Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE! ;^D

      You look around, what do you see? Businessmen, teachers, lawyers, carpenters. The very minds of the people we are trying to save. But until we do, these people are still a part of that system and that makes them our enemy. You have to understand, most of these people are not ready to be unplugged. And many of them are so inert, so hopelessly dependent on the system, that they will fight to protect it.

      Apologies to the Wachowski brothers.

      --
      Where are we going? And why am I in this handbasket?
  10. Where's the Mac version of the exploit? by toupsie · · Score: 5, Funny

    I just tried using the exploit code on my Mac OS X box running Internet Explorer and it didn't work. My hard disk was not formatted. I am disappointed. Why is Microsoft treating Mac users different than Windows users? Its not often that Mac OS X users get to use those nice 'Recovery CDs' that get shipped with Macs. We pay top dollar for our computers, we might as get to use everything that comes with them. Thanks a lot Microsoft! Just for leaving me out, I'm switching to Mozilla where are all the security problems and bugs are cross platform!

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
    1. Re:Where's the Mac version of the exploit? by BlackBolt · · Score: 2, Funny

      I agree. Microsoft often ships their Mac versions with far less features. I mean, Microsoft is known for having lots of features in their products, but they seem unable or unwilling to share all of these features with Mac users. I guess the best features are Windows only. :-(

      I did manage to format my Virtual PC drive after some work, but I still feel like a second-class citizen. Bah. People always say there are more fun games on Windows, and it's true - I haven't had a chance to reformat once, and that Virex thing is a waste of money. On Windows, my antivirus was like a Tamagotchi, always pestering me and needing to be taken care of. With a Mac, it just sits there like it's in a coma.

      I used to love my weekly Win98 formats. I got so darn good at them.

      BlackBolt

    2. Re:Where's the Mac version of the exploit? by toupsie · · Score: 4, Funny
      and that Virex thing is a waste of money.

      I thought it was a waste of money until I scanned all the M$ Office documents sent to me by Windows users. About 60% had macro viruses on them. Of course, I never noticed before and it never effected my system, but it was nice to clean out the 'Windows Cooties' from my Mac.

      --
      Strange women lying in ponds distributing swords is no basis for a system of government.
  11. If you use windows, post your IP address here. by teamhasnoi · · Score: 3, Funny

    I...uh...want to see if they are...are as numerically diverse as mine! Yeah..that's it!

    1. Re:If you use windows, post your IP address here. by nzhavok · · Score: 3, Funny

      207.46.134.155

      --

      He who defends everything, defends nothing. -- Fredrick The Great
  12. nastiness by Ainu · · Score: 2, Funny

    Lets see.. this exploit combined with a bind exploit equals a huge nuber of "windows updates".

  13. Re:Irresponsible? by ahaning · · Score: 5, Funny

    ssh into your box, su to root, then fsck your harddrive

    I wouldn't be so pissed as long as the attacker did this often. It's such a hassle to wait for my system to do a monthly e2fsck when the partitions have readched their maximal mount count.

    --
    Withdrawal before climax is very ineffective and those who try this are usually called "parents."
  14. Another Link by sdjunky · · Score: 5, Funny

    Here's some more info... click this link it's ok.. you can trust it... go on.. you know you want to.

    Nothing to fear. Just a link.

    1. Re:Another Link by _ph1ux_ · · Score: 4, Funny

      send this to people with the subject:

      Want to take a break? Click here - and see how you can have a much deserved break from work right now!

  15. malicious spam! by dethl · · Score: 2, Funny

    Screw virus'..this is perfect...send your victim an email with a link to your exploited page, and boom! And to think this is all possible thanks to M$!
    New M$ motto: we fuck up so you have to!

    --
    "Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
  16. What luck! by Alizarin+Erythrosin · · Score: 4, Funny

    Microsoft is sending some of their people here tonight to give a talk about how cool they are and how fun it would be to work for them (recruitment meeting). I think I'll mention this exploit to them and see what their response is.

    The joke they always make is "For those of you who want to work in software testing... Yes, we do test our products (wait for laugh)"

    --
    There are only 10 kinds of people in this world... those who understand binary and those who don't
  17. Re:Yes!!! by GenericJoe · · Score: 5, Funny

    Yeah, but now you *aren't*

    It's a self-fixing exploit!

  18. New distributed client built in to Windows! by teamhasnoi · · Score: 4, Funny
    Microsoft(TM) Press Release 11-19-02

    Microsoft(TM) intrudes^w introduces an incredible new PR nightmare^w^w way to work(TM)!

    Trojaned@Home(TM) - work on any problem you want(TM)! Set millions of CPUs working at a moment's notice(TM)! Every copy of Windows(TM) has this glaring security hole(TM)^w^w^w feature(TM) built in!

    Trojaned@Home(TM) is super fast, due to Microsoft(TM)'s secret Code Hider^w Layering(TM) technology, which ensures that it's always on(TM), and ready to work for you(TM)!

    See the power of the internet(TM) multiplied by millions(TM) of smart Windows(TM) users today!

    Use Trojaned@Home(TM)!

    Ha! You already are(TM)!

  19. Dissapointing WINE performance by sonra · · Score: 5, Funny

    Found the code, made a web page and verified the exploit with ie5 win200...
    Tried it on WINE using CrossOver Office.
    and was very disappointed to find that WINE once again did not live up to it goal of being bug for bug compatible with windows.

    All i got was HTML help and a script error. No files written to my "C:" and no exploit.

    *sigh* Guess WINE still needs some work.

  20. Patch by arestivo · · Score: 3, Funny

    You can get a patch here.

  21. Re:BAD BAD BAD! Why? Now the script kiddies have i by adb · · Score: 5, Funny

    Right, because script kiddies don't hang out on IRC and get this stuff before Bugtraq. Also, the sky is not blue and there is no porn on the internet.

  22. Of course it's responsible. by Anonymous Coward · · Score: 2, Funny

    People who use IE obviously *like* living dangerously. If they didn't, they wouldn't be using IE, would they?

    Oh, wait, you think that they don't *know*? Pshaw! They're like the people who choose to drive SUVs like a sports-car -- they may _say_ that they don't know, but either they do, and are lying, or they don't, and are stupid. Either way, the responsibility likes with the user.

    There are enough people out there pointing out that IE and Outlook are broke and dangerous that there's no reasonable way anyone can think they they aren't. Except if they put their fingers in their ears and go "LalalalalaIamnotlisteninglalalalala" whenever the subject comes up.

    The IE users who get hit by this exploit should suck it up and take responsibility for their risky actions. And have a good backup system in place, of course.

  23. Re:Shooting the messenger .. by xrayspx · · Score: 5, Funny

    Go ahead, shoot Messenger. It's had its fair share of bugs too...

    Whoopsie
    Daisy

    --
    I like music
  24. Hello footpad! by Chris+Pimlott · · Score: 3, Funny

    Under the rug there's a trapdoor leading to the apartment below me.

    Give up, it's hopeless. Believe me, I tried. Even if you board up all the doors, someone'll still find a way to sneak in through the kitchen window you left ajar and clean out all the treasures in you trophy case. You just can't win.

  25. Re:Irresponsible? by jdreed1024 · · Score: 3, Funny
    If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive ...

    Are you kidding? If someone wants to fsck my drive for me, that's fine with me. It'll cut down on my boot time.

    --
    There is no sig, there is only Zuul.
  26. Re:Active content... by Jucius+Maximus · · Score: 4, Funny
    "How about encouraging users to use browsers that don't suck [mozilla.org]?"

    Sometimes encouragement is not necessary. I installed mozilla on my sister's machine, changed the IE link on the desktop to link to mozilla (but still with the blue 'e' icon) and installed an IE-lookalike skin on mozilla and she hasn't noticed the difference yet. (It's been about a month now.)

  27. Re:No!!! by Anonymous Coward · · Score: 1, Funny

    Only on /. would somebody say that a widespread exploit that deletes millions of people's files is a "very good thing".

    Wake up you retard.

  28. Thanks for the Help Microsoft! by litewoheat · · Score: 5, Funny

    So I figured that I could avoid this by just deleting the key in my registry for IE help so that the OCX would never load and the exploit wouldn't work. I did that and it solved the problem! But wait... Windows is now trying to "help" me by putting that registry key back the way it was! Thank you so much Windows for saving me from myself and reopening the door to my harddrive. What would I do without you?

  29. Re:Yes!!! by lowe0 · · Score: 2, Funny

    If it wasn't funny, then why did I laugh?

  30. Malicious? by njdj · · Score: 4, Funny

    security hole in IE that allows malicious web pages to reformat a hard drive

    Surely there's a typo here. If I discover that the computer I'm working on has Windows installed, you're saying that all I need to do to reformat the hard drive is click on one of these web sites?

  31. Re:Of course it was irresponsible by Pyrometer · · Score: 5, Funny
    What's a worse situation? A bug that goes completely unnoticed by the general population, but is quietly exploited for months by hackers that have done their homework....or...maybe a few more script kiddies find out about it but now Joe Public is WELL aware of it, due in no small part to the discussions that happen on boards like this.

    Riiighhhhtttttt ... so "Joe Public" is reading /. and Wired now is he(/she)? :)

  32. Re:Of course it was irresponsible by CableModemSniper · · Score: 2, Funny

    Yes, right after I emailed him and told him too. Computer geeks, defend your computer-illeterate friends! Save them form themselves! :)

    --
    Why not fork?
  33. What's next? by Rai · · Score: 2, Funny

    IE bugs can format a hdd now. What's next? A bug that will literally kill you in your chair.

    Actually, that might make msgboard moderation a lot easier. Die, troll! :)

  34. Hmmm... not a problem at all.. by IdleTime · · Score: 2, Funny

    First of all, stay away from MS products.. Check!

    Second, don't visit unknown links... Check!

    Third, Disable pop-ups, block what can be blocked in the browser. Check!

    Fourth, upgrade your OS with the latest patches and fixes, (Gentoo here, emerge -u world)... Check!

    Fifth, implement a nazi firewall... Check!

    Looks good so far, have never had an attack or lost data due to a security hole. I can sleep in peace.

    --
    If you mod me down, I *will* introduce you to my sister!
  35. new bug found: Humans vulnerable to bullets by Cynikal · · Score: 2, Funny

    now lets give everyone working guns so we can force smeone to come out with a fix for this exploit

  36. Re:Of course it was irresponsible by Anonymous Coward · · Score: 5, Funny

    You will have a hard time proving this, because all of your data would be gone...