Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

42 of 696 comments (clear)

  1. BugTraq by Mz6 · · Score: 5, Informative
    Posted to BugTraq 6/7.. 2 days ago...

    Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.

    --
    Hmmm.
    1. Re:BugTraq by c13v3rm0nk3y · · Score: 1, Informative
      ... what is IE?

      It's a file explorer provided on Win32 operating systems. While it's best to use this to browse only local files and folders, it has been extended to access remote files and objects over a variety of protocols.

      It's also known as "Windows Explorer", or just "Explorer".

      --
      -- clvrmnky
    2. Re:BugTraq by GSloop · · Score: 4, Informative

      How about this...from one of the creators of the Internet...

      Vint Cerf responded to MSNBC

      From http://www.msnbc.com:80/news/249325.asp (which has apparently subsequently timed out). See also ``Revisionist Internet History.'' --jsq

      Vint Cerf responded to MSNBC's questions about the Net's origins with this e-mail:

      VP Gore was the first or surely among the first of the members of Congress to become a strong supporter of advanced networking while he served as Senator. As far back as 1986, he was holding hearings on this subject (supercomputing, fiber networks...) and asking about their promise and what could be done to realize them. Bob Kahn, with whom I worked to develop the Internet design in 1973, participated in several hearings held by then-Senator Gore and I recall that Bob introduced the term ``information infrastructure'' in one hearing in 1986. It was clear that as a Senator and now as Vice President, Gore has made it a point to be as well-informed as possible on technology and issues that surround it.

      As Senator, VP Gore was highly supportive of the research community's efforts to explore new networking capabilities and to extend access to supercomputers by way of NSFNET and its successors, the High Performance Computing and Communication program (which included the National Research and Education Network initiative), and as Vice President, he has been very responsive to recommendations made, for example, by the President's Information Technology Advisory Committee that endorsed additional research funding for next generation fundamental research in software and related topics. If you look at the last 30-35 years of network development, you'll find many people who have made major contributions without which the Internet would not be the vibrant, growing and exciting thing it is today. The creation of a new information infrastructure requires the willing efforts of thousands if not millions of participants and we've seen leadership from many quarters, all of it needed, to move the Internet towards increased availability and utility around the world.

      While it is not accurate to say that VP Gore invented Internet, he has played a powerful role in policy terms that has supported its continued growth and application, for which we should be thankful.

      We're fortunate to have senior level members of Congress and the Administration who embrace new technology and have the vision to see how it can be put to work for national and global benefit.

  2. Not everyone can use Mozilla... by TrentL · · Score: 4, Informative

    Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.

    1. Re:Not everyone can use Mozilla... by stecoop · · Score: 4, Informative

      I'm running Mozilla on a restricted computer. Go download the ZIP files and simply extract them to any folder you can write to even if that means in your home directory on unix or My documents on NT.

      Here is the path for the latest release candidate of Mozilla just unzip and run mozilla.exe:
      http://ftp.mozilla.org/pub/mozilla.org/mozilla/rel eases/mozilla1.7rc3/mozilla-win32-1.7rc3.zip

      Have Fun!

    2. Re:Not everyone can use Mozilla... by Anonymous Coward · · Score: 1, Informative

      Which is why I copy an INSTALLED FireSomething or Mozilla folder to flashdisk and take it with me.
      You can still add extensions, etc as normal. :)

    3. Re:Not everyone can use Mozilla... by Stitch_626 · · Score: 2, Informative

      Some businesses HAVE to restrict what software employees install on their machines.

      For example, where I work, users are not allowed to install anything at all. The reason for this is that a standard desktop is required. Some of our financial software goes through IE to a server at HQ.

      I've personally had nightmares when users install Hotbar, AIM, or any other number of 3rd party software.

      When users install extra programs on work computers it can affect the entire company.

      Anybody who wants to listen to internet radio or have cute icons in their emails needs to do that stuff at home, NOT AT WORK!!!

      --
      Ohana means family. Family means nobody gets left behind or forgotten.
    4. Re:Not everyone can use Mozilla... by Saeed+al-Sahaf · · Score: 2, Informative
      You can't be serious! In case you haven't been following the news the past few years, most corporate dictate what goes on your machine, and unfortunately, Mozilla isn't on very many lists. At my employer, the only ones with the permissions to install anything (or ask for an alternative) is the engineering staff. Everyone else gets a locked down copy of IE, and likes it (because they ain't getting anything else). One problem is that many enterprise applications run in the browser with ActiveX and other widgets that require IE.

      For the most part, if an enterprise is primarily Windows, this is more or less a support issue, wanting to limit the applications we are responsible for supporting. I know, I know, IE increases the support load (theoretically). But as I said, our users get a very locked down IE. Along with that and very strict permissions, email filters on Exchange that examine and delete offending file attachments, I don't think I've seen any virus around here in ages.

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    5. Re:Not everyone can use Mozilla... by AKnightCowboy · · Score: 4, Informative
      Why would they want to take such a risk by running Internet Explorer?

      Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box. Our Mac users must use a Citrix server to access Windows to access the system. It's very stupid to come up with such a broken system, but that's the way the cookie crumbles.

      Our time card program is another app that simply doesn't work on anything other than IE 6 on Windows.

    6. Re:Not everyone can use Mozilla... by Anonymous Coward · · Score: 2, Informative

      Just lock down IE's Internet Security Zone like it ought to be from the manufacturer.
      The only people that should be allowed to run any scripts at all should be sites you trust like banks, mutual funds, etc.
      Just add sites you trust to the Trusted Sites list of your security Zones.
      The rest of the internet does not need to run any scripts for any reason on any OS.
      Unfortuantely most of the nets webmasters seems to think they have the right to run anything they wishes on your computer.
      If locked down the way it ought to be IE is as safe as any other browser.

    7. Re:Not everyone can use Mozilla... by Tet · · Score: 2, Informative
      As long as a program doesn't write to the registry than you can likely install it anywhere.

      Not true. We have policies that prevent users from creating any .exe, .com, .pif etc. files. That way, even if a virus manages to get onto their machines, it's limited in the amount of harm it can do. We don't let them even see their C: drive, either (amongst other restrictions). Draconian? Yes, but it's the only sane approach for a corporate network. With what we give them, they can accomplish everything they need to get their job done.

      On the plus side, we remove the ability for them to run Internet Explorer, and provide Firefox as their standard browser. We're not evil... just paranoid :-)

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
    8. Re:Not everyone can use Mozilla... by Nogami_Saeko · · Score: 2, Informative

      This is the same issue that I have when everyone starts the "switch browsers" chant.

      I need IE because of certain web-applications that require IE-specific plugins. There's no possibility of that changing in the short term, so it's a non-starter.

      N.

      --
      "Nothing strengthens authority so much as silence." - Charles de Gaulle
  3. Re:Dang, what a surprize! by gowen · · Score: 2, Informative

    de jure: of right, by right, according to law.

    du jour: That is chosen or allocated for a particular day: 'of the day', 'for today'; sometimes with connotations of impermanence, interchangeability, or repetitiveness.

    Questions, comments?

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  4. Re:Yet again... by irokitt · · Score: 4, Informative

    Even more disappointing is that this hole in IE is then used to put a file on your computer, and then the file takes advantage of a local exploit that Microsoft has known about since August of 2003. Yet they have failed to patch it.

    --
    If my answers frighten you, stop asking scary questions.
  5. Re:Mac hole by ColMustard · · Score: 1, Informative

    It was kind of an ugly story. Apple released a patch for that hole, but then it was discovered that the entire concept of their registering URL system could allow pretty much any URL to launch arbitrary code.. Or something like that. I didn't follow it too closely myself. Apple just barely released a master fix just two days ago.

    --
    Moof.
  6. Troubling... by GillBates0 · · Score: 3, Informative
    More trouble, IMHO than the current slew of worms which can be rendered harmless simply by using a firewall.

    Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  7. Kudos to Norton by JMZero · · Score: 4, Informative

    I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.

    --
    Let's not stir that bag of worms...
    1. Re:Kudos to Norton by JPDeckers · · Score: 5, Informative
      Well, The demonstration is indeed blocked.

      But after reading the article, I tried the real installer URL, and, surprise, with Norton Antivirus (fully updated) the ad-bar WAS installed.

      As said in the article, due to various layers of encoding the javascript, detection is avoided.

      Ad-Aware luckely recognized all 34 (!!) regkeys, dll's etc.

  8. Symantec by mrgrey · · Score: 4, Informative

    Symantec catches this vulnerability as the following:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Downloader.Trojan
    File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
    Loca tion: Quarantine
    Computer: Computer
    User: User
    Action taken: Quarantine succeeded : Access denied
    Date found: Wednesday, June 09, 2004 11:56:26 AM

    Most corporations should have little to worry about.

    --
    -Tolerate my intolerance
  9. MOD PARENT UP by bircho · · Score: 4, Informative

    Reference to Microsoft advice (he was trying to be funny, you insensive clod.)

    .
  10. What do you mean "zero-day"? by mikemulvaney · · Score: 2, Informative

    Doesn't zero-day mean that the bug came out the same time as IE? Didn't IE come out several years ago? And if one of these is already fixed in SP 2, that doesn't sound exactly zero-day either.

    1. Re:What do you mean "zero-day"? by Mz6 · · Score: 4, Informative
      Get out of your pirate 0-day mindset and into a security one.

      Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.

      --
      Hmmm.
    2. Re:What do you mean "zero-day"? by irokitt · · Score: 3, Informative

      Zero-day means the exploit was created on the same day the bug was found. For example, if somebody finds a hole in Apache (to pick a random softwar title) but nobody begins to exploit it until, say, a week later, it is not zero-day. This thing was so simple to exploit that somebody already has a working exploit running.

      --
      If my answers frighten you, stop asking scary questions.
  11. Re:Yet again... by Rhys · · Score: 3, Informative

    Given some of the CS students I've seen leaving both the BS and MS portions of UIUC's CS program for microsoft, not very good.

    --
    Slashdot Patriotism: We Support our Dupes!
  12. And the pain continues by Da_Slayer · · Score: 5, Informative

    Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.

    Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.

    It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.

    Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.

    --
    Push harder towards Open Media/Content
  13. Re:javascript by Anonymous Coward · · Score: 2, Informative

    Typically, JavaScript is not a requirement for anything except to compensate for poor website design.

    I have it turned off by default, and I rarely miss it. On the occasion when I land on a site which misbehaves without it, I take a moment to read the page source, and invariably find that nothing is going on there that couldn't be expressed better with stylesheets or computed on the server. And I find in about half of those cases that the pages remain broken even with JavaScript turned on.

    In principle, there are cases when you genuinely need to do client-side computation, or where it makes sense architecturally in designing an in-house application because the organization owns the clients as well as the servers.

    For general use, however, XHTML is sufficient.

  14. Re:100% Safe IE by afidel · · Score: 5, Informative

    You only THINK you are joking:

    The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
    linky

    This was for a previous IE link related exploit. When MS is telling not to use their product in the most basic manner expected of the product then it should be painfully obvious that the product is broken.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  15. Re:javascript by minister+of+funk · · Score: 2, Informative

    However, not all browsers support CSS in this manner. While you could do it, if it is a key method of navigability, you will ostracize many many users. It is my experience that more modern browsers' javascript implementation is close and feature-complete than is their CSS implementation.

    As an added bonus, I find that JavaScript is very handy as a prototyping language...

    Several people have mentioned that JavaScript is used only for roll-overs and such. You can do some truly wonderful UI stuff with JavaScript, such as leveraging the client's processor cycles to handle mundance but expensive tasks like sorting and layout. Sending a set of data to the client, javascript objects, CSS and laying it out at runtime is much more bandwidth-efficient than sending the formatted results of a query. PLUS, you can use javascript to pop-up a new window and get a new dataset, which can be displayed with the same code used for the original. There are SO MANY nice things you can do with JavaScript. JavaScript is a technology that nicely enhances the user experience, but certainly can be misused.

  16. SP2 is not beta by Barlo_Mung_42 · · Score: 4, Informative

    It is RC1 and it is available here

  17. Exploit analysis by gmuslera · · Score: 5, Informative
    As it is not directly linked by the story, in http://62.131.86.111/analysis.htm there is an analysis of the exploit that looks very helpful to understand why and how it works.

    As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.

  18. Re:Time to get JavaScript off your site by pesc · · Score: 4, Informative

    Right... so it's time to turn to Struts and JSPs for validation every form on our site.

    Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.

    Really, if it is important to validate your data you need to do it on the server!

    --

    )9TSS
  19. Re:javascript by jandrese · · Score: 4, Informative

    Uh, you're forgetting about the third extremely prevelant form use of Javascript: Navigation. Many sites use javascript apps for the regular links (especially if the link is supposed to pop up a small window with a little additional information). These sites are completely unusable if you disable Javascript. The worst part is that entities like banks and businesses are the most likely to use this form of navigation (because they hired "professional" web designers).

    I used to enable and disable Javascript a lot to deal with this problem, but then I swiched to Mozilla and just left it on. It hasn't been a problem for me yet.

    --

    I read the internet for the articles.
  20. FYI to those JS abusers who might be reading by ChristTrekker · · Score: 2, Informative

    The previous poster pointed out the wrong way. The better way is <a href= "yourlink" onclick= "popupFunctionOrWhatever('yourlink'); return false;">click here</a> . This activates your JS function for those that have it and provides a normal link for those that don't. The return false prevents the normal link from being activated if the onclick is performed by JS-aware browsers.

    --

    Constitutionally Correct

  21. Re:Time to get JavaScript off your site by ChristTrekker · · Score: 2, Informative

    Right, server-side validation is absolutely essential.

    But if you can implement client-side JS validation properly, there's nothing wrong with doing so. The user gets immediate feedback, without an extra round-trip just to be told to fix something. The user experience is greatly improved, and your server's burden is reduced since it only has to validate once thanks to already being validated on the client.

    --

    Constitutionally Correct

  22. extremely sophisticated use of encrypted code by landoltjp · · Score: 5, Informative

    Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.

    Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)

  23. Re:But wait--here's another list of vulnerabilitie by HBI · · Score: 4, Informative

    You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.

    None of the ones in the IE list are.

    Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  24. Sigh by Anonymous Coward · · Score: 2, Informative

    As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway

    There aren't exploits I'm aware of for JavaScript. JavaScript was originally written by Netscape, and to all intents and purposes, runs in a sandbox.

    Microsoft's implementation of JavaScript is called Jscript.

    From when I can tell of the exploit, it has to do with Microsoft's insecure DHTML model.

    From the MS documentation of the execScript method :

    execScript
    Executes the specified script in the provided language.

    Standards Information :
    There is no public standard that applies to this method.

    Shame that so many fucking "experts" can't get their terminology right.

  25. SO FSCKING REMOVE IE! by The+Fifth+Man · · Score: 3, Informative

    Sigh.

    Remove Internet Explorer from Windows 2000. (Free)

    Remove Internet Explorer from Windows XP.(Free)

    FDV

  26. What keeps you on Windoze? by twitter · · Score: 2, Informative
    On the plus side, we remove the ability for them to run Internet Explorer, and provide Firefox as their standard browser.

    Not a bad start.

    We don't let them even see their C: drive, either (amongst other restrictions). Draconian? Yes, but it's the only sane approach for a corporate network. With what we give them, they can accomplish everything they need to get their job done.

    Sane? I have my doubts When free OS exist that require far less effort on your part? What exactly do your users need to get their job done? How do you know? Do you realize that by doing all of that you have eliminated almost all of the reasons to run windoze in the first place? Why pay for something you don't want to use? I'd rather have a KDE desktop that I can plug my camera and PDA into. You must have some nasty DOS thing holding you back.

    --

    Friends don't help friends install M$ junk.

    1. Re:What keeps you on Windoze? by Tet · · Score: 3, Informative
      I have my doubts When free OS exist that require far less effort on your part? What exactly do your users need to get their job done?

      More than can be provided under Linux at the moment. Trust me, if I could have rolled out Linux desktops, I would have done so long ago.

      I'd rather have a KDE desktop that I can plug my camera and PDA into.

      I'm sure you would. Equally, it's my job to ensure that you can't :-) It's a vector for introducing unauthorised and potentially harmful files onto our corporate network. No thank you.

      You must have some nasty DOS thing holding you back.

      No, but there's a lot more to running a standard office than just Word, Excel, mail and web browsing. The call centre need integration with the phone system, for example. Various people need MS Project or Visio. Finance need SAP. Marketing and analytics need SAS. The creative team use Photoshop, Illustrator, etc. Yes, a lot of people could get 90% of their job done with a Unix desktop. But that remaining 10% is important, and the missing 10% is different for each department.

      --
      "The invisible and the non-existent look very much alike." -- Delos B. McKown
  27. Re:Idealism must mesh with reality... by 1010011010 · · Score: 3, Informative

    However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example.

    I've not used IE in at lear a year, and I regularly buy things from Dell.com at work. Once, they did a boneheaded thing that was IE-specific and interfered with navigation of their site. I emailed their webmaster, and called Dell. I also told their sales staff that I was unable to complete my purchases online because their site was broken. And you know what? They fixed it!

    If a vendor's website doesn't work for you, call them and make them sell to you over the phone. They'll get the picture.

    --
    Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
  28. Windows explorer = IE by grepistan · · Score: 2, Informative

    Damn right, Jim. Watch the process in win2K for example, when you switch from a local page of some kind to something on the net. explorer.exe grabs a bit more memory and continues running with the same PID. I don't know much about the internals of Win2K, but IMO IE and windows explorer are one and the same. I don't think we should infer too much from the different applications.

    Because of the built-in nature of IE, it is in fact impossible to fully remove it from Windows 2K IME without breaking the OS. I suspect it is similar in XP also.

    --
    Real stupidity beats artificial intelligence every time.
    -- Terry Pratchett, Hogfather