Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
Maybe I'm stupid, but what is IE?
If you mod me down, I *will* introduce you to my sister!
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
AC comments get piped to
We're talking MS here.
RC1 = Alpha
Release = Beta
Release + many patches later = Release
It is a virus used by terrorists. It stands for "Internet Exploder".
WWJD? JWRTFA!
The Wielder of Windows has spoken, fear is not permissable, only awe. That is all.
An Education is the Font of All Liberty
IE == Infinitly Exploitable
IE is the open RPC facility of MS Windows, similar to sun.RPC. In the early days it was shipped as a separate application. Starting with Windows XP/2000 MS decided to integrate it directly into the kernel. For the sake of convenience and performance Microsoft didn't bloat it with authentication or security features so when active basically anyone can remotely execute code on your machine in a comfortable drill&drop-fashion.
Since IE requires the local user to be actively browsing the web in order to provide RPC service MS is working on an extension of the RPC concept to allow for asynchrone/sheduled remote code execution. Early beta-versions of the latter software (Project name Outlook) are included for evaluation with MS Office 2000/XP which can be purchased for a modest fee at your local MS retailer.
MS Outlook supports the robust SMTP protocol for remote access so it may be considered the most reliable RPC-interface available for MS windows to date.
Maybe I'm stupid, but what is IE?
Nah if you were stupid you'd be using it
In Soviet Russia Slashdot cliches use you
That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"