Slashdot Mirror
New Windows Vulnerability in Help System
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
I am sure the major virus scanners will have it before anything "really" bad happens.. this isnt anything special.. move along
"could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.
now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd
I think MS wil fix this one soon because of its impact on the Windows concept as a whole. The help system is a crucial item.
Wel, CERT says to disable activex stuff, wel should be easy to fix i gues.
Hope they fix this one soon.
... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.
I'd imagine lots of the IT bods that are stil working will have had major work scheduled for this weekend for weeks. Just as well there isn't a patch to be deployed!
At the risk of replying to a Microsoft troll, this is not a "pretty insignificant" story.
Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.
Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...
There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.
Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.
"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.
Ceci n'est pas une signature
you will be afraid too
and being afraid is a GOOD thing
it makes you vigilant
there is no system out there that is 100% virus proof
so don't make excuses to lull yourself into a false sense of security
always be vigilant, and you will minimize your risk of being infected
it will never be 0, no matter what os you use, no matter what you do
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Taken from Sophos....
m ac exe.html
/ CODE-2522 9F -BF ame venD-Fame vendust-J
http://www.sophos.com/virusinfo/analyses/index_
Description: Macintosh file virus
666, see Mac/Sevendust-A
ANTI-A, see Mac/ANTI-A
CDEF, see Mac/CDEF
CODE-1, see Mac/CODE-1
CODE-252, see Mac/CODE-252
CODE-9811, see Mac/CODE-9811
ERIC, see Mac/Scores
Garfield, see Mac/MDEF-A
Graphics Accelerator, see Mac/SevenD-Fam
INIT-1984, see Mac/INIT-1984
INIT-29, see Mac/INIT-29
INIT-9403, see Mac/INIT-9403
INIT-M, see Mac/INIT-M
Mac/ANTI-A
Mac/CDEF
Mac/CODE-1
Mac
Mac/CODE-9811
Mac/INIT-1984
Mac/INIT-
Mac/INIT-9403
Mac/INIT-M
Mac/MBDF-A
Mac/MBD
Mac/MDEF-A
Mac/nVIR-A
Mac/nVIR-B
Mac/nVIR-
Mac/Scores
Mac/SevenD-C
Mac/SevenD-D
Mac/S
Mac/Sevendust-A
Mac/Sevendust-B
Mac/S
Mac/T4
Mac/WDEF
Mac/ZUC-A
MBDF-A, see Mac/MBDF-A
MBDF-B, see Mac/MBDF-B
MDEF 666, see Mac/Sevendust-A
MDEF 9806, see Mac/Sevendust-A
MDEF-A, see Mac/MDEF-A
NASA VULT, see Mac/Scores
nVIR-A, see Mac/nVIR-A
nVIR-B, see Mac/nVIR-B
nVIR-Fam, see Mac/nVIR-Fam
San Jose Flu, see Mac/Scores
Scores, see Mac/Scores
SevenD-C, see Mac/SevenD-C
SevenD-D, see Mac/SevenD-D
SevenD-Fam, see Mac/SevenD-Fam
Sevendust-A, see Mac/Sevendust-A
Sevendust-B, see Mac/Sevendust-B
Sevendust-J, see Mac/Sevendust-J
SysX, see Mac/INIT-9403
T4, see Mac/T4
WDEF, see Mac/WDEF
ZUC-A, see Mac/ZUC-A
Wooohoooo! So that is the userfriendly Windows everyone is talking about!
Sounds like the lynx browser (or links, w3m, etc) is right up your alley. Lots of other people who share your distaste for browser bloat do. Microsoft doesn't really care too much about those people who say "Ugh, Microsoft IE sucks! Oh, yeah, I still use it though". It's only until people say "IE sucks, that's why I use [whatever] instead" that they'll pay attention.
Funnel your enthusiasm into trying some different browsers that fit your needs. Donate some time or money, maybe, to an open source browser you do like.
At this point, though, a "IE is lame" post doesn't really contribute much to the discussion. Or have I been trolled?
INIT, MDEF, ANTI-A... wow, that's a blast from the past...
I remember wiping some of these off of floppies... back when I even owned floppies.
Integrate Keynote and LaTeX
That's not the point. MS has tried to lead the public to believe that there's never been an instince of exploit code before their patch. And obviously if there's exploit code out there, something already "really bad" has happened. This comes after the witty worm spread before ISS had patches for their products.
On a related note, MS pretty much NEVER releases advisory's on their own will before a patch. There almost always has to be a 3rd party that has said they are going to go public, or there have to be exploits or information in the wild. With that information, I wonder if this exploit is related to the windows source leak. The source leak had a lot of IE code, and if there are exploits in the wild before MS could even send out an advisory. That would lead me to the possiblity that the windows source leak could be the source of this one.
Why did you make it so bloody difficult to switch off html content in recieved Email text? AT best, it meant bandwidth guzzling spam, at worst viruses you didnt even have to open to catch..
As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.
"You lied to me! There is a Swansea!"
Are you happy now, or do we still need to educate you why modularity is a better design compromise?
Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.
IANAL but write like a drunk one.
because we all know your mother would have no problem adding people to her sudoer's file...yup. christ. this story has some ridiculous fucking comments, most of which are like the parent - bashing windows' usability issues WRT security because they're so arcane when unix's certainly are too...
Windows XP sets up its users with full administrator privileges by default and without a password.
The simple Control Panel even hides the management interface to make granular security possible.
The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.
Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
I don't know about that specific vulnerability, but I always suspected something fishy about the chm files. They can run javascript and whatever else you compile into them with full user priviledge. Yes, I write chm files. I think a workaround is to disable Javascript and other scripting at the local intranet security level in IE options.
Non-Linux Penguins ?
The problem is, they state that this may not be limited to IE/Outlook (Express):
NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs.
Another instance where unbundling and removing IE from a system would be beneficial...
liqbase
The 'Mac is invincible' mentality just means a well crafted mac virus will do even more damage.
How many Mac owners have AV software that is up to date?
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
How many Mac owners have AV software that is up to date?
Almost none - reason being that all those viruses (virii) mentioned at Sophos (Sophie) are from the 80's (80uses). This is the first 'exploit' on OS X, and it was just mentioned yesterday. What would Anti-Virus for the Mac have mentioned in their definitions last week?
"Virus definitions:
"
Additionally, since all ports are closed by default, and it takes an Administrator password to open any, and it takes an Administrator password to install any applications, and users are not root, there's a limited amount that a virus could do.
-T
On the flip side...
How do you get [whatever] to work on Windows.
Step 1: Insert the cd and let autorun take over and do everything for you.
If that does not work or you run into problems during game play, follow this 20 step procedure (if one is even available) and hope you eventually get it to work, if you can not get it to work, too fucking bad.
As an owner of a few EA Games, I've been down that road many times.
Bad boys rape our young girls but Violet gives willingly.
Well, it's a little more complicated than just "unbundling and removing" IE in this situation. I'd consider the Help system critical for system functioning for lots of users. It'd be totally inexcusable for Windows to not come with any Help just for the sake of deintegration. If they unbundled IE, they'd just have to write *another* HTML rendering engine and associated parts to handle the Help files. It'd probably be more buggy and even less standards-compliant.
.chm help files. If a bug was discovered in Konqueror's handling of ms-its urls that resulted in a security hole, would there be anyone claiming Konqueror shouldn't be part of KDE?
On a side note, KDE does the same thing. I can open a "ms-its://" url to view
Karma: Contrapositive
Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it?
Okay, hang on for a moment.
$ ssh moms.computer.net
It'll be done in just a sec, Mom!
I always get the shakes before a drop.
If they unbundled IE, they'd just have to write *another* HTML rendering engine and associated parts to handle the Help files. It'd probably be more buggy and even less standards-compliant.
If they unbundled IE, why the hell wouldn't the help files simply use the designated default browser??
"I'm not a procrastinator, I'm temporally challenged"
Windows has this reputation for "it just works!".
Yet the parent's post clearly shows that if you actually have to change anything fundamental, such as Services or Registry cleanups, it's a total fucking nightmare.
No wonder Windows admins get nervous, and sometimes run away screaming from changing Exchange configs, secure file sharing across networks, and nearly daily virus updates.
Am I forgetting anything?
Konqueror is part of KDE, not part of GNU/Linux. But IE is part of Windows.
User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"
I have always wondered about this particular Windows feature: the rebooting.
Why do I need to reboot after installing some silly game?? Clearly there are some kind of "ties" in the window manager that would need to be updated, but a full reboot?? Is that really nescessary or are they just too lazy to clean it up?
Can someone explain this paradox to me?
{Mozilla, Opera, Lynx} doesn't support CHMs or the ITS protocol. You're right though, they could support interchangeable interfaces so you could use Gecko to render the help files. I certainly hope this will happen, but I don't think it's likely unless some government lawyer grows a pair and forces them to.
If they "unbundled" IE, they would still ship it with every boxed copy of Windows, and if you wanted Help out of the box, you'd need to install IE. The only way you'd be able to get a completely IE-free system would be from an OEM or a customized install disc.
Karma: Contrapositive