Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
Even more disappointing is that this hole in IE is then used to put a file on your computer, and then the file takes advantage of a local exploit that Microsoft has known about since August of 2003. Yet they have failed to patch it.
If my answers frighten you, stop asking scary questions.
Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
Let's not stir that bag of worms...
Symantec catches this vulnerability as the following:
a tion: Quarantine
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
-Tolerate my intolerance
Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.Given some of the CS students I've seen leaving both the BS and MS portions of UIUC's CS program for microsoft, not very good.
Slashdot Patriotism: We Support our Dupes!
Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.
Hmmm.
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
Zero-day means the exploit was created on the same day the bug was found. For example, if somebody finds a hole in Apache (to pick a random softwar title) but nobody begins to exploit it until, say, a week later, it is not zero-day. This thing was so simple to exploit that somebody already has a working exploit running.
If my answers frighten you, stop asking scary questions.
You only THINK you are joking:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
linky
This was for a previous IE link related exploit. When MS is telling not to use their product in the most basic manner expected of the product then it should be painfully obvious that the product is broken.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It is RC1 and it is available here
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
Right... so it's time to turn to Struts and JSPs for validation every form on our site.
Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.
Really, if it is important to validate your data you need to do it on the server!
)9TSS
Uh, you're forgetting about the third extremely prevelant form use of Javascript: Navigation. Many sites use javascript apps for the regular links (especially if the link is supposed to pop up a small window with a little additional information). These sites are completely unusable if you disable Javascript. The worst part is that entities like banks and businesses are the most likely to use this form of navigation (because they hired "professional" web designers).
I used to enable and disable Javascript a lot to deal with this problem, but then I swiched to Mozilla and just left it on. It hasn't been a problem for me yet.
I read the internet for the articles.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.
None of the ones in the IE list are.
Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Sigh.
Remove Internet Explorer from Windows 2000. (Free)
Remove Internet Explorer from Windows XP.(Free)
FDV
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example.
I've not used IE in at lear a year, and I regularly buy things from Dell.com at work. Once, they did a boneheaded thing that was IE-specific and interfered with navigation of their site. I emailed their webmaster, and called Dell. I also told their sales staff that I was unable to complete my purchases online because their site was broken. And you know what? They fixed it!
If a vendor's website doesn't work for you, call them and make them sell to you over the phone. They'll get the picture.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
More than can be provided under Linux at the moment. Trust me, if I could have rolled out Linux desktops, I would have done so long ago.
I'd rather have a KDE desktop that I can plug my camera and PDA into.
I'm sure you would. Equally, it's my job to ensure that you can't :-) It's a vector for introducing
unauthorised and potentially harmful
files onto our corporate network. No thank you.
You must have some nasty DOS thing holding you back.
No, but there's a lot more to running a standard office than just Word, Excel, mail and web browsing. The call centre need integration with the phone system, for example. Various people need MS Project or Visio. Finance need SAP. Marketing and analytics need SAS. The creative team use Photoshop, Illustrator, etc. Yes, a lot of people could get 90% of their job done with a Unix desktop. But that remaining 10% is important, and the missing 10% is different for each department.
"The invisible and the non-existent look very much alike." -- Delos B. McKown