Slashdot Mirror


Another Zero-Day IE Scripting Exploit

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

15 of 696 comments (clear)

  1. Fix now available by Mr.+Sketch · · Score: 5, Funny

    You can download a fix for this here.

  2. 100% Safe IE by Manfre · · Score: 5, Funny

    Workaround for this bug has been posted. "Don't click links!"

  3. Ok I am in a sarcastic mood by BoxOfCuriosity · · Score: 4, Funny

    I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...

    Off to check for updates.

    1. Re:Ok I am in a sarcastic mood by Haydn+Fenton · · Score: 4, Funny

      This is Microsoft. Here's how it works:
      You have to buy them dinner, and take them to a movie, then they screw you.

      For something more along the lines of a nice fast, stress-free relationship, try Linux.

  4. Re:BugTraq by IdleTime · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    --
    If you mod me down, I *will* introduce you to my sister!
  5. The Salad Dressing theory by TrentL · · Score: 5, Funny

    A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.

    You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.

    Now, shake up the bottle. That is what Microsoft software looks like.

  6. Another occurance by mrn121 · · Score: 5, Funny
    "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page."

    This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.

  7. Re:Not everyone can use Mozilla... by Sebby · · Score: 5, Funny
    I'd read your story, but I'm paralyzed with fear about clicking any links now....

    --

    AC comments get piped to /dev/null
  8. Re:SP2 is not beta by Anonymous Coward · · Score: 5, Funny

    We're talking MS here.

    RC1 = Alpha
    Release = Beta
    Release + many patches later = Release

  9. Re:BugTraq by cardshark2001 · · Score: 5, Funny
    Maybe I'm stupid, but what is IE?

    It is a virus used by terrorists. It stands for "Internet Exploder".

    --
    WWJD? JWRTFA!
  10. Re:BugTraq by linzeal · · Score: 5, Funny
    Blasphemer! Bring him to the court of our High Lord Bill "The Destroyer of Worlds" Gates III and make him grovel for his life! Our messiah shall not be sullied by this base "Anonymous Coward", for if he is not merciful all the Coward clan will be rendered into bio-engineered oddities for his amusement, and he will salt your lands and poison your waters.

    The Wielder of Windows has spoken, fear is not permissable, only awe. That is all.

  11. Re:BugTraq by mwronski · · Score: 5, Funny

    IE == Infinitly Exploitable

  12. Re:BugTraq by Kent+Recal · · Score: 5, Funny

    IE is the open RPC facility of MS Windows, similar to sun.RPC. In the early days it was shipped as a separate application. Starting with Windows XP/2000 MS decided to integrate it directly into the kernel. For the sake of convenience and performance Microsoft didn't bloat it with authentication or security features so when active basically anyone can remotely execute code on your machine in a comfortable drill&drop-fashion.

    Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.

    MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.

  13. Re:BugTraq by dickiedoodles · · Score: 5, Funny

    Maybe I'm stupid, but what is IE?

    Nah if you were stupid you'd be using it

    --
    In Soviet Russia Slashdot cliches use you
  14. Re:Idealism must mesh with reality... by null+etc. · · Score: 5, Funny

    That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"