Slashdot Mirror
New IE Holes Discovered
joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.
P.S. Is it news anymore that IE has holes?
Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.
If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.
He who laughs last is stuck in a time dilation bubble.
A spokesman was quoted as saying, "It's the only way we can release a product with more holes than IE".
It is unconfirmed if StringVest will be integrated into Windows XP SP2 or if we will have to wait until LongHorn is released.
...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.
Dream world scenario:
1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible
Real World scenario 1:
1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses
Real World scenario 2:
1) Report it to the public (anonymously).
2) Company will fix it
Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.
The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.
Russ Cooper made some good points.
I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.
Wearing pants should always be optional.
I just downloaded the latest IE patches this morning and now IE wouldnt even start....its doing nothing. Time to move my bookmarks to the firebird....tonight.
the millions of people who are forced to use Microsoft products
I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.
Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.
i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.
maybe it's stuff like this that we need, and more people should get their families exposed to it...
momentum, people, momentum.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.
If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?
I can understand the desire for such vulnerabilities to be fixed before going public, but Microsoft has been known to sweep exploits under the rug for as many as twelve years. Exploits are a common fact of life with Microsoft products, and its better that this exploit was released to all as an explanation than as a virus/worm.
You can't judge a book by the way it wears its hair.
On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.
I like this release.
Disable Active Scripting and find an alternative to IE ("use another product"). Not very realistic unfortunately, when companies have invested so much in integrating (and accepting) some of the flawed functionality in IE.
I do find that people are starting to be a lot more receptive towards MS-alternatives, especially when the mass media is now jumping on the bandwagon as well. Now techies find themselves explaining their choice of MS over and over again, to hype-induced managers.
Wearing pants should always be optional.
WE could have found out about it when our sytems started acting up.
I can understand complaining about being forced to use Windows. However, no one is "forced" to use Internet Explorer, even on Windows---Mozilla is a better alternative in Windows.
Most of my family and co-workers use Mozilla, and they haven't looked back.
This is not like Windows-Linux, where there is a steep learning curve.
Mozilla (or Phoenix) is a slick alternative with an almost zero learning curve to pick up the same level as IE. It also takes almost no time to learn features _that aren't in IE anyway_ that help you see the internet in a much more useful way (ad blocking etc).
No one is forced to use IE with very few exceptions:
People who have it mandated at work, but that's work's problem not yours - they could change too.
People on dialup who have a very slow net connection - but they probably have it on a dial up CD.
People who use it's integrated rendering engine for OE/HTML email - but you can change that easily too.
People who _must_ access IE only websites - but there are very few of these any more, and you can always use IE just for these to lower your exposure.
Microsoft Zelots who refuse to believe that Free software can be any good - but they deserve everything they get.
Beep beep.
While my firm is a strong supporter of full disclosure, this is rather over the top.
What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.
Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.
We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.
Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .
Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.
hey folks, this was posted to bugtraq some two months ago.
Microsoft has claimed time and again that their response times to security alerts are sterling, as opposed to the "slow" response times for OSS. They make these claims without telling consumers that they have known about the exploit for months and are publicly releasing knowledge right before they release the fix.
This is a case of people letting Microsoft's boastful ways catch up to it. If they are as fast as they have claimed, time and again, there won't be a problem for those people who are diligent in patching.
Additionally with the advent of companies using the DMCA to try and stifle this behavior, it is more important than ever to engage in it and further show the flaws with this absolutely off the wall piece of legislation. See this article.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
"I'd like to know who the editor thinks are "forcing" people to use Microsoft products."
People at work who have to use Windows because it's work mandated.
Their's millions of those type of people...
Jason Lotito
"Using Microsoft products is not genetics or how we were raised. It's a choice and we're damn proud of it."
Actually, it wasn't a choice. MS had a monopoly, and therefore, you really had no choice.
Jason Lotito
it wouldn't have been 'a known hole', but to the Microsoft developers
Prove it. Anything that can be found by a white/gray hat can be found or was already found by a black hat.
What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.
This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.
This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Although in a perfect world, we would have companies auditing their own code and finding exploits in their own products, the fact remains that unless there is a perverable rocket aimed at their behind, nothing will be done.
The fact remains that we have an organisation here with over 40,000 employees, over $40billion dollars in cash and yet, they're making *really* stupid mistakes. I am sure most people could cut Microsoft some slack if they were a small business OR that these incidents were as rare as hens teeth, however, when it becomes "have you applied the daily patch", people lose their cool.
The unfortunate thing, however, is due to Microsofts huge marketing muscle, this approach by "exploit finders" doesn't work. Microsoft instead of taking on board the information and applogising, instead they spin the story as to make out that the person who finds the exploit is somehow linked to a grand anti-Microsoft conspiracy, and god forbid, call them a "terrorist" for "exposing" the unwashed masses to "harm".
"The difference between pornography and erotica is the lighting" - Woody Allen
What makes you think all Chinese are communists? That's like saying all Germans were Nazis during WWII, which is very very far from the truth. The problem in totalitarian regimes is that you're not allowed to say anything substantial against the government... but it's not illegal to think it (well, not yet anyway).
Side one - Internet Explorer badly coded, so there's lots of vulnerabilities.
Side two - Since Internet Explorer is used so widely, there's a lot more people looking for problems with it, and the ratio of bugs found to the number of users is moderatley comparable to any other browser.
An interesting study would be a comparison between the number and kinds (garbled text to root exploit) of bugs known for each browser (what's the cut-off point? any bug from the first alpha version to the "final" version? Or just for the current revision?) versus the number of approximate users.
Huh. From R'ing TFA, it seems there is an exploit using five new security holes disclosed on 11/25/03, not the seven originally reported on 9/11/03.
Not true, Microsoft makes it very difficult to use anything but Microsoft junk. The first level of anoyance is a barage of scary warning messages about "signed code". Then there are constant anoyance messages which require confirmation and include the option you don't want. In time, you will push the wrong button. Finally, Microsoft breaks other programs on their platform. My little brother uses XP and keeps it "up to date" by accepting whatever M$ pushes at him. It broke Mozilla. I consider that a force.
The only way to avoid all of that harassment and the insecurity that it creates is to leave M$ completely. If you still think it takes a lot of effort, you need to play with Knoppix. The only trouble you might have is with winmodems and other nastier hardware which does not work well under windblows either. It's easier for indiviuals to install and way easy for technicians. It's good for individual users and far superior for business.
There's probably someone near you who will do an install for less than the Windblows install going rate. Just google your town name with "free software", Linux and other likely terms. Hungry geeks, such as myself, will happily come to your house for $40 and set you up. Businesses will pay by the hour but save hundreds per machine and employee every year.
Friends don't help friends install M$ junk.
"The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list."
There is no requirement to notify Microsoft, nor should there be. I want to know about this kind of stuff as soon as possible. In my opinion, it is not for Microsoft to determine when I know that my computer has a security problem.
Besides, this kind of thing should show if Microsoft's boasting about response time to security vulnerabilities is the truth or just plain old anti-open source FUD.
Isn't this a term used for having to deal with the issues related to choices made? Why should anybody expect others let Microsoft sugar coat the mess they released on the world? Those who use MS products must pay the price of such a choice. Those who consider they have no choice because IT gives them no choice have to play on the theadmill Microsoft and their IT departments put them on and should make their IT staff fix the problem. IMHO.
When will Microsoft go to court for all of this crap? Can you imagine purchasing a new car and seeing a note on the seat. You open the door of your new car and read the note. It says that the auto maker has no responsibility to how the car works or if it will work.... The auto makers can't pull the kind of EUL that Microsoft gets away with. Yet no lawsuits. What gives?
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
It's more like a blue screen of death after innumerable pop-up anoyances. Oh, the thrill of crap that does not work. Wooot. If that turns you on, you must be on Bill Gate's payroll. I prefer to get things done.
Friends don't help friends install M$ junk.
I don't understand the "forced to use Microsoft products" part.
Even when you need to work on Windows, why should you be _forced_ to use Internet Exploder?
Mozilla is the first thing I always install on Windows.
There are organizations where people are indeed forced to use a fixed set of software. In this case, if there's a security hole, the responsability belongs to the sysadmin who forced people to use broken and out of date software.
{{.sig}}
It's bad that enough nerdy Microsoft Windows users must endure the incessant rudeness of Linux users to get their 'news that matters' on Slashdot. But for CowBoy Neal to permit a discussion topic that implies we are slaves to Microsoft is just plain offensive. Did you ever once consider we might feel liberated to use Microsoft products? It's like looking out into the ocean, seeing a swarm of sharks feeding in the surf, and then choosing to paddle out to ride the waves. It's an adrenaline rush.
Why do you come here then? There are other places where you can get your tech news you know. Slashdot has a rather vicious anti-Windows slant to it, and doesn't apologize for it. If that bothers you, go elsewhere. Personally, I love it here for the exact same reason you hate it. I'm surrounded by idiotic Microsoft apologists in real life, so this is one place I can be comfortable.
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
I wrote this above and I"ll post it again, using an alternate browser does not always protect you from IE holes. I cannot comment on these new holes because I'm not sure how they work, but some previous IE holes left the computer vulnerable whether or not you actually used IE at all! An unfortunate consequence of the browser integration with the OS.
So the fact that I'm using Mozilla on Win 98 right now, doe not mean I'm guarenteed immunity from these new holes.
These big companies have their mouth full of punishing people that tell they found holes in applications.
Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
Let them pay for the info on security problems...
No payment, no bug reports, period.
They can take care of themselfs? ok let them solve their own problems...
MS Windows and IE are insecure and full of bugs. They will compromise your security. I suggest you stop using them now. ;)
It is a *new* security exploit, based on several new security holes that Li Die Yu found. Given Microsoft's history of rapid responses, I guess one could be forgiven for not even attempting a notification. Has anyone seen a patch from Microsoft yet? ;)
Oh, and the way to avoid potential future exploits, disable scripting within the Internet zone... (or use another browser!)
What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.
Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.
so if they want us to let them know about problems then they should pay us for the information.
If they want us to test their stuff then they should pay us to do it; rather than charging us for the privelege of testing their stuff.
Codifex Maximus ~ In search of... a shorter sig.
These security problems were publically known in September.
What was released recently was sample exploit code.
If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.
The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.
2. What amazing encouragement
Somebody get this guy off the stage.
Undoubtedly, you would look upon the history of the last few years, where virtually all attacks (manual and automated in virus/worm code) have exploited known bugs for which patches had been available for weeks or months, and say "that's not PROOF".
And in a mathematical sense, that would indeed not be "proof".
The best anyone can offer you is a "preponderance of the evidence", which might even be "beyond a reasonable doubt" that virtually all sucessful attacks have exploited known vulnerabilities for which the vendor had already created and published a patch.
If you can accept this rather obvious observation, and you can believe that the trend will continue, then it is a very small logical step to conclude that it is overwhelmingly in everyone's best interest for vendors to have a reasonable opportunity to create and publish patches before details of new vulnerabilities are publically announced.
But there is no proof, only a well established trend. So you, supposedly a system administrator, would rather see immediate public disclosure. I'm sure that will appeal to your emotional well being... not being kept in the dark. It will also mean, that as a system administrator, you will need to make temporary workarounds (which often times means shutting off the affected service), while you then wait, with a greatly increased probability of attack attempts. But it will appeal to you emotionally, making you feel better that the vendor got their "feet held to the fire". That ought to make up for the extra time you'll spend implementing the workaround and interfacing with all your users and managers and explaining to them why a service they depend upon (and consider your job to keep operational) is not available temporarily.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Whos forced to use IE. Last time i checked
I can use whatever browser I want and when someone
or some website tries to force me from using
their product because i'm not using IE i can
always work around it. So, why is it everyone
always believes they are forced to use IE. Its
a shitty browser simple solution stop using it.
move on and be happy.
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Guess you would've preferred that he either:
a) keep it to himself and use it to root your box
b) tell M$ about it, who will as usual drag it out for a few months before even acknowledging that he found a problem.
If you were reading any of the security mailing lists, you'd know that the general experience researchers have with M$ is that it's a big waste of your unpaid time to contact them.
Frankly, if they neither pay you nor treat you with some courtesy, then why exactly should you bother?
Assorted stuff I do sometimes: Lemuria.org
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
Truth. But here's the problem. Microsoft's reputation for responsiveness (that is, not!) and collegiality (that is, not!) in these situations is awful. Nor does Microsoft treat those who report such problems with any degree of warmth. Having established its Chinese wall as it has, Microsoft has lost its standing to whine about non-collegiality of the world it has created.
This is the entire point about open systems, or at least openness about security -- it leverages what happens out there. Frankly, I feel more secure knowing what are the leaks, whether they are addressed or not, than I do knowing there are secret leaks out there for someone to exploit without my knowledge.
If Microsoft had a reputation: (i) for assuring that a report of a leak would be responsibly handled and escalated promptly and without agonizing pain on the part of the reporter -- who is doing Microsoft a favor; and (ii) for responsibly, promptly and professionally addressing the problem, I would feel much more sympathetic.
The problem is that they don't. Maybe they will change as they said they would. But until they do, I'd rather hear the news in time to know for what I have to watch out than to have it buried while others who have discovered the leak exploit it.
Here's the thing, it is highly unlikely that any leak that is discovered by me was discovered only by me. Others, less responsible than I, will disover a leak, find the exploit, and either keep it in their "bag of tricks," trade it or what have you. In any case, if I find it, the exploit is likely out there in someone else's hands. I'd rather know the problem than wait for the solution.
Yes, the kiddies are more likely to play if it is readily "out there." But guys, that happens anyway, one way or the other. Beside, Microsoft seems far more responsive to public leaks than private ones -- maybe this kind of report is more likely to assure that the bug will be repaired than otherwise.
And you spend much less time on hold . . .
So you do admit that Windows users are not free in their choice?!
Hell is not other people; it is yourself. - Ludwig Wittgenstein
If you take all your services offline every time a vulnerability is disclosed, isn't that doing the cracker's job for them?
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Programmer 1: "Hey, guys, we've really got to do something about the security problems we've been having with IE lately. Any ideas?"
Programmer 2: "I've got an idea! My CS prof used to joke that you could solve any problem by adding one more layer of abstraction. In this case, it's true. Imagine how totally cool it would be if IE was just a regular application. Right now we've got it tangled up in the OS, but if you think about it, there's really no good reason for that. I mean, why does IE need special priviledges just to load files and render some HTML? If we pull it out of the OS, it'll still work fine, and it'll just naturally be subject to all the OS-level protection mechanisms we've got."
Programmer 1: "What?! You're talking madness, man! Are you saying that we should subject one of our own applications to the same forces we use to prevent third parties from gaining too much market share? Egads, that's brilliant! I'll bet we can even patent that..."
Programmer 3: "Guys, the idea certainly sounds cool, but it won't work. Bill said it's impossible. Don't you remember that Netscape trial thing? I know we're not supposed to ever talk about it, but he said it was impossible during his taped deposition. If Bill says it's impossible..."
Programmer 2: "...then it must be impossible. You're right."
Porgrammer 1: "Damn, you're right. Seemed like such a good idea."
Really! There's been like a thousand holes in IE over the years, they keep coming with no slowing down or eevn trending towards end in sight.
Those stupid enough to continue using that piece of garbage or any other microsoft software for "secure" applications, are getting it up the ass exactly like they asked for. The only people I see with desktops infested with bonzo and popups and spyware are retarded IE sheep anyway. The comments from the poster of the article just make me laugh. Security from obscurity isn't! The more exploits the better, the sooner people will be forced to switch.
Go open source, go with glass box solutions.
There's absolutely no reason to continue using IE, it's not as if you have to visit the few websites refusing service to other browsers. Refusal of service to other browsers only indicates incompetence - who'd make business with such a company anyway?
.... then it's not a bug, it's a poor design failure...
Which, to the end user, is the exact same thing.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
The part about this story that gets to me is that a single person finds 7 (!) holes/exploits by himself. Makes one wonder just how many things are left open simply because no one has looked at them yet. Scary.
While I agree with what most folks are saying about the security researcher not following proper exploit discovery etiquette, keep in mind (and this is not flamebait),
He *is* from China, the country who is so frustrated by Microsoft that it's making its own, full-scale flavor of Linux. The country who may see most of the Western, MS-using world as a competitor. A country so big yet secretive that security practices may be subtly different over there.
Disappointed? Sure, you can be disappointed in how this went down. Though it may be an apple judging an orange.
Surprised? I don't think you have the right to be surprised.
RD
In the company where I work (a large bank, 40000 work places) the latest IE security patch caused grave problems with (client certificate authenticated) SSL connections. Many internal applications broke down at random after about 10 minutes. This is costing massive amounts of time and money.
I'll agree to all your GUI counterclaims: X11 was quite deadish in the old days when Windows NT4 was "the" corporate platform and linux hummed in new 486 running the initial http:// rollout. So it was and still is a bunch of sedimented un-coordinated APIs... right... true... remember, it was on the verge of abandonware... The rest? Hmm, when that stuff got developed in the first place MS was what? 3.11? DOS? Didn't even exist? Now to NFS3? Come on, when the standard was written the US called cryptoAPIs "ammunition"... you couldn't put "mandatory" tags on ammunition! Even MS had to break, cripple, unsecure, bug their domain stuff to make it exportable (I'm not shure that's the only reason but...) So NFS security became optional and developers wouldn't build anything that was patent laden would they? Sendmail... that's like firing at the Red Cross... why don't you mention Postfix ;-) ?
My point anyway is that the parent says MS has to regress the whole damn kaboodle for a couple of bugs so it's not their fault if it takes time. I challenge that: if they had done a half decent job there'd be no reason to check the whole OS for a couple of broken private methods in a web browser component class. that they should do that is a design failure... they might as well have written the whole thing in one big statically linked C executable.
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.
That was my initial reaction too, but then I asked myself why? Why must the manufacturer be notified first? All Linux expolits are announced publically aren't they? Or am I mistaken? If defects in Linux can be made public and fixed quickly, why can't commercial software be done the same way?
Ruby on Rails Screencast
who is forced to use IE?. This is not a 'vertical application', there are free and non-free browsers that work much better than IE: they are much more secure and with options like tabbed browsing and pop-ups blocking.
If people is concerned about security, they should change. If administrators are concerned about security, they should (at least) advice their users to change. I don't think we should blame that researcher for his discovery. I think users should be aware of this things.
"Invalid ContentType may disclose cache directory"
My Classification: Minor
This isn't all that serious. The major threat is that a hacker could get your cache directory. The downloaded web page runs as part of the "internet" zone, meaning that there is no privelage elevation (IE has a zone system to give different pages different privelages).
"LocalZoneInCache"
Moderate/Severe
This is more serious. It allows an attacker to modify files on the system or worse. Note that this *is not* the same as a root exploit, but it could be as damaging as running an executable. Note that the user *does* have to choose "open" in the download dialog, but they are not warned about the security risks and may not consider them as the file extention is ".htm".
"MHTML Redirection Leads to Downloading EXE and Executing - Remote Compromise(requiring MYCOMPUTER zone)"
Moderate
This is somewhat less severe. It allows an attacker to download and execute an executable, but only if the user has already downloaded the page, saved it to disk, and executed it. The user might assume (incorrectly) that the file is safe.
"MHTML Redirection leads to local file parsing in INTERNET zone"
Severe (If an issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to parse the contents of a local file. They would need the absolute path. This could be used to discover potentially private information.
"HijackClickV2 - Adding a Link to Favoriate List(requiring clicking a link)"
Minor
This would allow an attacker to add their site to favorites. The user would have to click a link and would have to release their mouse button over the favorites list (which is placed under their cursor after clicking the link).
"execdror6"
Severe (if issue)
I was not able to reproduce results with this veulnerability (IE6 SP1). Please comment if you can reproduce it. If it is indeed true, it would allow an attacker to run an executable on the user's system. The user would have to click "open" on an HTML file download. Security warnings would not be displayed.
"BackToFramedJpu - Cross-zone scripting(requiring a subframe in victim page)"
Moderate
This could allow an attacker to execute code in another security zone. It could potentially be used to execute code in the "my computer" zone if the attacker knows the location of a local page with frames.
I'll comment on the rest later.
Hmmm who modded this troll up as Interesting, ok I'll pretend this is not a troll, and answer, what M$ has done with bimbo's and IE is not just code reuse, they have not just used some of the same libraries again, they have tightly coupled, them together, so that they cannot easily be separated, parts of windows code was put into the IE libraries, were it doesn't belong in order to legitamise their claim that the two are so called integrated, butchered would be a better term, this is why all of a sudden installing IE even without the "IE desktop", changed your system libraries. In addition inorder to further the same goals or out of shear incompetence, M$ have hooked the two together, via global variables and functions to the point where the one cannot exist with out the other. This is not code reuse this is bad design, and infact the oppersite of structured programming, which is the basis of real code reuse.
You really don't know the first thing about coding do you, when you use a library you do not cut and paste the code into your own, you use their functions and stuff, so all that had to happen with gzip was they fixed the library, then if another project was staticly linked to the library it would have had to be relinked to the new library, but as the majority of code is dynamically these days, most programs would only need you to update the dynamic library on your system, and whala, all programs using the library are fixed next time you run them.
in my life God comes first.... but Linux is pretty high after that
Francis Smit