Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

24 of 696 comments (clear)

  1. Fix now available by Mr.+Sketch · · Score: 5, Funny

    You can download a fix for this here.

    --
    Things you think are in the Constitution, but are not.
  2. 100% Safe IE by Manfre · · Score: 5, Funny

    Workaround for this bug has been posted. "Don't click links!"

  3. Ok I am in a sarcastic mood by BoxOfCuriosity · · Score: 4, Funny

    I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...

    Off to check for updates.

    1. Re:Ok I am in a sarcastic mood by Haydn+Fenton · · Score: 4, Funny

      This is Microsoft. Here's how it works:
      You have to buy them dinner, and take them to a movie, then they screw you.

      For something more along the lines of a nice fast, stress-free relationship, try Linux.

    2. Re:Ok I am in a sarcastic mood by chris_mahan · · Score: 3, Funny

      Actually, microsoft is like a cheap whore.

      No need for a movie or dinner. She'll just screw you for money. Actually, she'll let you screw her for nothing, in the hope that you will pay in the future once you get "comfortable" with her, hummm, services.

      --

      "Piter, too, is dead."

  4. Re:Yet again... by Anonymous Coward · · Score: 3, Funny

    IE is a great OS but it lacks a decent browser...

  5. Re:BugTraq by IdleTime · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    --
    If you mod me down, I *will* introduce you to my sister!
  6. The Salad Dressing theory by TrentL · · Score: 5, Funny

    A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.

    You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.

    Now, shake up the bottle. That is what Microsoft software looks like.

  7. Not another one. by dasmegabyte · · Score: 3, Funny

    See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!

    --
    Hey freaks: now you're ju
  8. Another occurance by mrn121 · · Score: 5, Funny
    "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page."

    This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.

  9. Re:Not everyone can use Mozilla... by Sebby · · Score: 5, Funny
    I'd read your story, but I'm paralyzed with fear about clicking any links now....

    --

    AC comments get piped to /dev/null
  10. Re:javascript by stienman · · Score: 3, Funny

    I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.

    Fortunately my optimism filter translated your statement
    I'm sorry... java is a requirement on the modern web. If you are afraid to drink it, you might want to look into switching liquid diets. Next you'll tell us cookies are "yummy" and you should visit the vending machine as well.

    Unfortunately, it's playing heck with my diet.

    -Adam

  11. Re:SP2 is not beta by Anonymous Coward · · Score: 5, Funny

    We're talking MS here.

    RC1 = Alpha
    Release = Beta
    Release + many patches later = Release

  12. Re:Not everyone can use Mozilla... by happyfrogcow · · Score: 3, Funny

    then the terrorists have already won.

    go! click on the link! for liberty and freedom!

  13. Re:BugTraq by cardshark2001 · · Score: 5, Funny
    Maybe I'm stupid, but what is IE?

    It is a virus used by terrorists. It stands for "Internet Exploder".

    --
    WWJD? JWRTFA!
  14. Re:BugTraq by linzeal · · Score: 5, Funny
    Blasphemer! Bring him to the court of our High Lord Bill "The Destroyer of Worlds" Gates III and make him grovel for his life! Our messiah shall not be sullied by this base "Anonymous Coward", for if he is not merciful all the Coward clan will be rendered into bio-engineered oddities for his amusement, and he will salt your lands and poison your waters.

    The Wielder of Windows has spoken, fear is not permissable, only awe. That is all.

    --
    An Education is the Font of All Liberty
  15. Yet more reasons to disable Active Xploit... by Trolan · · Score: 3, Funny

    ...and not use IE. JavaScript, while often abused, is still useful for proper end-user UI feedback. Using a good browser (Moz/Firefox/Opera/!MSIE) will clean up most of the annoyances with JS problems.

  16. Re:BugTraq by mwronski · · Score: 5, Funny

    IE == Infinitly Exploitable

  17. Re:BugTraq by Kent+Recal · · Score: 5, Funny

    IE is the open RPC facility of MS Windows, similar to sun.RPC. In the early days it was shipped as a separate application. Starting with Windows XP/2000 MS decided to integrate it directly into the kernel. For the sake of convenience and performance Microsoft didn't bloat it with authentication or security features so when active basically anyone can remotely execute code on your machine in a comfortable drill&drop-fashion.

    Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.

    MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.

  18. Re:It's a virus by Arker · · Score: 3, Funny

    Sorry, I think you're wrong. It's not a virus. It's a virus and general malware delivery toolkit.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  19. Re:BugTraq by dickiedoodles · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    Nah if you were stupid you'd be using it

    --
    In Soviet Russia Slashdot cliches use you
  20. Re:Idealism must mesh with reality... by null+etc. · · Score: 5, Funny

    That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"

  21. Re:BugTraq by Deraj+DeZine · · Score: 3, Funny

    What are you doing? The world would be a better place if you just linked the computer illiterate to Mozilla and told them that Internet Explorer is nothing more than a myth; a sort of Holy Grail for virus-writers.

    --
    True story.
  22. Re:SP2 is not beta by TrancePhreak · · Score: 3, Funny

    as opposed to the OSS method of naming:

    RC1 = pre-alpha with new name
    RC2 = alpha
    Release = RC2 with new name.
    Totally renamed product rewritten from the ground up = Release

    --

    -]Phreak Out[-