Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

38 of 696 comments (clear)

  1. Fix now available by Mr.+Sketch · · Score: 5, Funny

    You can download a fix for this here.

    --
    Things you think are in the Constitution, but are not.
    1. Re:Fix now available by WarriorPoet42 · · Score: 2, Funny
      There is also a command line fix available for those running a pre-XP system:

      deltree *.* /y
    2. Re:Fix now available by Anonymous Coward · · Score: 2, Funny

      If you're worried about this, you might consider using Mozilla.

    3. Re:Fix now available by Kick+the+Donkey · · Score: 2, Funny
      I think we can file this on under yarntuie (Yet Another Reason Not To Use I.E.). Any chance there's a Wikipedia entry for yartunie?

      Nope. Not yet.

      --
      /. is a bunch of nerds at a million typewriters. It's not a political conspiracy determined to undermine your beliefs.
  2. 100% Safe IE by Manfre · · Score: 5, Funny

    Workaround for this bug has been posted. "Don't click links!"

    1. Re:100% Safe IE by Manfre · · Score: 2, Funny

      How fitting...A link to mozilla is deemed funny, yet a comment of not clicking links is viewed as Trollish...Welcome to /.

    2. Re:100% Safe IE by randomaxe · · Score: 2, Funny

      Dear Customer,

      We at Ford Motor Company have discovered a fault in this model year's Taurus sedan in which a fire may break out in the engine compartment if the motor is running.

      The most effective step that you can take to help protect yourself from engine fire is not to run the engine. Rather, push your vehicle to the top of a hill, get inside, and roll down until you reach your destination. By manually powering your vehicle, you guarantee that the engine will not be running, and thus no fires will start.

      Sincerely,
      Ford Motor Company

  3. Ok I am in a sarcastic mood by BoxOfCuriosity · · Score: 4, Funny

    I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...

    Off to check for updates.

    1. Re:Ok I am in a sarcastic mood by Haydn+Fenton · · Score: 4, Funny

      This is Microsoft. Here's how it works:
      You have to buy them dinner, and take them to a movie, then they screw you.

      For something more along the lines of a nice fast, stress-free relationship, try Linux.

    2. Re:Ok I am in a sarcastic mood by chris_mahan · · Score: 3, Funny

      Actually, microsoft is like a cheap whore.

      No need for a movie or dinner. She'll just screw you for money. Actually, she'll let you screw her for nothing, in the hope that you will pay in the future once you get "comfortable" with her, hummm, services.

      --

      "Piter, too, is dead."

  4. Re:Yet again... by Anonymous Coward · · Score: 3, Funny

    IE is a great OS but it lacks a decent browser...

  5. Re:BugTraq by IdleTime · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    --
    If you mod me down, I *will* introduce you to my sister!
  6. The Salad Dressing theory by TrentL · · Score: 5, Funny

    A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.

    You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.

    Now, shake up the bottle. That is what Microsoft software looks like.

    1. Re:The Salad Dressing theory by Anonymous Coward · · Score: 0, Funny

      Missed a step:

      Shit in bottle.

      > Now, shake up the bottle. That is what Microsoft software looks like.

  7. Not another one. by dasmegabyte · · Score: 3, Funny

    See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!

    --
    Hey freaks: now you're ju
  8. Another occurance by mrn121 · · Score: 5, Funny
    "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page."

    This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.

  9. Re:Not everyone can use Mozilla... by Sebby · · Score: 5, Funny
    I'd read your story, but I'm paralyzed with fear about clicking any links now....

    --

    AC comments get piped to /dev/null
  10. Re:Are you being serious? by IANAAC · · Score: 1, Funny

    Maybe s/he was trying to be funny. I don't use IE either. :-)

  11. Re:javascript by stienman · · Score: 3, Funny

    I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.

    Fortunately my optimism filter translated your statement
    I'm sorry... java is a requirement on the modern web. If you are afraid to drink it, you might want to look into switching liquid diets. Next you'll tell us cookies are "yummy" and you should visit the vending machine as well.

    Unfortunately, it's playing heck with my diet.

    -Adam

  12. Re:Not everyone can use Mozilla... by gowen · · Score: 2, Funny
    One Missle
    Missle?

    Oh my god. Someone's employed Snoop Dogg as a military contractor...
    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  13. Re:Symantec by wobblie · · Score: 2, Funny
    Computer: Computer
    User: User

    Boy, that's useful information there ...

  14. Re:SP2 is not beta by Anonymous Coward · · Score: 5, Funny

    We're talking MS here.

    RC1 = Alpha
    Release = Beta
    Release + many patches later = Release

  15. I clicked on the link... what's the big deal? by NitroWolf · · Score: 2, Funny

    I clicked on the link, what's the big deal? It didn't do anything but pop up a hollow box in the window.

    Nothing installed, my system didn't crash. There were no apparent ill effects to clicking on that.

    So why is everyone so worked up? I use Windows XP every day for some of my work, and haven't had a problem with malicious web pages in over a year.

    I've been using FireFox for over a year, but that's probably just a cooincidence.

  16. Re:Not everyone can use Mozilla... by happyfrogcow · · Score: 3, Funny

    then the terrorists have already won.

    go! click on the link! for liberty and freedom!

  17. Re:Are you being serious? by BoRegardless · · Score: 2, Funny

    I don't have any problems with Windows XP at all...zero, zip, none. None with IE either. Never done any updates either. Perfectly safe in fact...

    My PowerBooks are the only thing that go online.

    Sometimes the obvious takes longer.

  18. Re:BugTraq by N3koFever · · Score: 2, Funny

    It's an Internet browser that people used back in the olden days. Just after the Internet was invented.

  19. Re:BugTraq by cardshark2001 · · Score: 5, Funny
    Maybe I'm stupid, but what is IE?

    It is a virus used by terrorists. It stands for "Internet Exploder".

    --
    WWJD? JWRTFA!
  20. Re:BugTraq by mbyte · · Score: 2, Funny

    its Infection Explorer - the tool to download the latest worm/virus/spyware :)

  21. Re:BugTraq by linzeal · · Score: 5, Funny
    Blasphemer! Bring him to the court of our High Lord Bill "The Destroyer of Worlds" Gates III and make him grovel for his life! Our messiah shall not be sullied by this base "Anonymous Coward", for if he is not merciful all the Coward clan will be rendered into bio-engineered oddities for his amusement, and he will salt your lands and poison your waters.

    The Wielder of Windows has spoken, fear is not permissable, only awe. That is all.

    --
    An Education is the Font of All Liberty
  22. Yet more reasons to disable Active Xploit... by Trolan · · Score: 3, Funny

    ...and not use IE. JavaScript, while often abused, is still useful for proper end-user UI feedback. Using a good browser (Moz/Firefox/Opera/!MSIE) will clean up most of the annoyances with JS problems.

  23. Re:BugTraq by mwronski · · Score: 5, Funny

    IE == Infinitly Exploitable

  24. Re:BugTraq by Kent+Recal · · Score: 5, Funny

    IE is the open RPC facility of MS Windows, similar to sun.RPC. In the early days it was shipped as a separate application. Starting with Windows XP/2000 MS decided to integrate it directly into the kernel. For the sake of convenience and performance Microsoft didn't bloat it with authentication or security features so when active basically anyone can remotely execute code on your machine in a comfortable drill&drop-fashion.

    Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.

    MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.

  25. Re:It's a virus by Arker · · Score: 3, Funny

    Sorry, I think you're wrong. It's not a virus. It's a virus and general malware delivery toolkit.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  26. Re:BugTraq by dickiedoodles · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    Nah if you were stupid you'd be using it

    --
    In Soviet Russia Slashdot cliches use you
  27. Re:Idealism must mesh with reality... by null+etc. · · Score: 5, Funny

    That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"

  28. Re:BugTraq by Deraj+DeZine · · Score: 3, Funny

    What are you doing? The world would be a better place if you just linked the computer illiterate to Mozilla and told them that Internet Explorer is nothing more than a myth; a sort of Holy Grail for virus-writers.

    --
    True story.
  29. Re:SP2 is not beta by TrancePhreak · · Score: 3, Funny

    as opposed to the OSS method of naming:

    RC1 = pre-alpha with new name
    RC2 = alpha
    Release = RC2 with new name.
    Totally renamed product rewritten from the ground up = Release

    --

    -]Phreak Out[-
  30. Re:Are you being serious? by jack_csk · · Score: 2, Funny

    Na... the best firewall is a physical wall that blocks the computer from every physical contact (including the network cable)