Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
" You can download a fix for this here."
How come nobody can just say "If you're worried about this, you might consider using Mozilla.."?
In that case it would be up to the network administrator to put secure software on the users machines. Why would they want to take such a risk by running Internet Explorer?
Things you think are in the Constitution, but are not.
It's called irony, but in some circles it is known simply as humor. Now available in a low-carb variety!
I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
Why read the article when I can just make up a snap judgement?
Yeah, so who forced IE to be integrated with the OS?
Sure, don't blame X for being buggy, it's bugginess is result of braindead design.
Don't blame me for setting your house on fire, I'm a habitual smoker and can't stand a hour without a smoke.
Integration with OS was a conscious and completely wrong move and nobody else is to be blamed for that than Microsoft!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
But that's the problem. The web browser shouldn't be integrated that way into the system.
Because if you are still using IE after all this time - and all these vulnerabilities, obviously someone in your IT chain is incompetent.
Whether it's the CEO, the IT manager, or you personally, someone isn't doing their job. The typical lame excuses of incorrect rendering or ActiveX or the fact that people can't visit their favorite game sites are all solvable. Obviously someone just doesn't care enough.
I don't think anyone is bound to coddle you, in any event.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You have to measure the customers you get through faster, or better, vs the ones you lose. Considering most people.. and most meaning everyone minus a tiny percentage.. have js enabled, either 'cause they are clueless or understand it, you aren't losing much.
-
ping -f 255.255.255.255 # if only
You can download a fix for this here [Mozilla].
First you should read this (which is known to be incomplete), and this, a rather strange policy.
Mozilla is a very nice browser, but it's not the kind of fortress most users think it is.
You're wrong. Javascript doesn't need to be avoided, it needs to be used sensibly. When it's used in the right way, it can improve the usability of a website.
Just because a website uses Javascript, it doesn't mean that it locks out those who have switched it off. The key is to educate the clueless Javascript abusers that do things like <a href="javascript:... or <a href="#" onclick... so that they don't lock people out.
"One Military One Operating System"... I was responsible for the Solaris and Linux servers
Not to be picky, but you mentioned two operating systems, and implied another one. That makes three total. I think that helps to indicate why they didn't laugh at your attempt at humor.
While we're dealing with the extra load processing validations that used to be client side (you know, the extra load only a few hundred thousand users visiting every day can generate), maybe then we can start explaining to the people that actually make the decisions why doing all of the above made our site more inconvenient, not less.
Or maybe a certain large company can actually take some responsbility and help make more secure the tools that we need for our business to work effectively.
Disclaimer: usually, the people that know how to turn off Javascript are the ones that are capable of inputting data into a form the right way the first time, so we don't have a big problem with that.
-Rob
Marriage doesn't have to suck!
I do feel that linking to the exploit itself is a little like getting on TV and saying, "There's a security problem at this nuclear weapons facility, and here's how you'd exploit it and get yourself a nuclear bomb. But don't do it, because owning nuclear weapons (which the unguarded facility has, in warehouse 23-B) is wrong!"
But I also realize that shedding light on the issue will help sysadmins take care of the problem, and most script kiddies prefer to read sites about "hahaha hax0rzing is kew3l kekekekekekekekeke!!!! ^___^"
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
I though exploits only happened AFTER Microsoft issued a patch? I thought haxors were decompiling patches and such? At least that is Microsoft's line.
Also not long ago many of the Microsoft backers here(yes there are many) were daring people to come up with an exploit that happened before MS issued a patch. Well...Here you go.
Microsoft used IE as a strategic tool. When it did so, browsers were in such a state of flux, that changing from Netscape 3 to 4 to wasn't much different than changing from Netscape 3 to IE 4. The mistake Microsoft is making is that if people start migrating away from IE, then there is no turning back. The browser market is moving slow, so the ease/incentive to move is significantly lower.
IT departments are going to be looking at changing browsers, and once they change, I doubt Microsoft will be able to regain the foothold.
Ok, I give up, why you?
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?
---
Adult Toys
No No No No.
The security issue is NOT Javascript. It's ActiveX.
Tell people to turn off ActiveX, and for goodness sake leave JS on.
Building websites that actually display and work properly on today's most used browser (guess which one that is...) is hard enough without having to worry about the 4% of die-hards who turn JS off.
You're right. It's so much easier to support every possible browser/OS combination.
Maybe for the same reason they'd use a non-standards-compliant browser.
I'm in the hole of the broadband donut.
"The only reason there are so many of them [ security vulnerabilities] in IE is that its integrated well with OS."
Actually it's the exact opposite: It's integrated so piss-poorly with Windows, with no regard for security implications of the design. MS could have easily set up IE to play nicely in its own application space, rather than weaving it deep into the OS like a brain cancer.
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
No that was Mosaic.
Are you crazy? Client side validation is _only_ useful for cosmetics, being able to alert the user to an error before they submit the form. Anyone who doesn't validate everything on the server is just bending over and asking for it...
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
While we're dealing with the extra load processing validations that used to be client side
If you're not validating data server-side then you are asking for trouble - Client side validation makes things nicer for the end user since they are told about invalid data sooner, server-side validation stops someone (intentionally or unintentionally) entering junk into your systems. And remember that allowing a user to enter junk is potentially destructive to your systems. You should really be doing both client side and server side validation - the client is untrusted so never trust that the data coming from the client is valid, even if you _think_ it probably went through a validator on their end.
http://blog.nexusuk.org
0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?
"Politicians find new names for institutions which under old names have become odious to the people."
If employees are able to buy stock, then they have another avenue of insisting on more-decent computing experiences at work. You go to the shareholders meetings and raise a stink over the problems with your software and bosses attitudes. There are several interesting avenues to explore there, pun intended.
There's also these things called unions, and they are useful for more things than just negotiating a raise. Unions have been used to help introduce worker safety,more sane and family friendly working hours, etc, so there's nothing stopping a union from working towards negotiating efficiency, either.
It's when you are JUST an employee and not a part owner, and when you are JUST negotiating alone instead of being part of a group that you will be constantly screwed in dealing with management problems.
Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
As an end user, there is pretty much nothing I can do about this.
Yes, there is. Don't visit those sites and do not buy their products. If you just shrug your shoulders, fire up IE, and browse their site and/or buy their products anyway, why should they change it?
Popup functions just annoy people who use tabbed browsing - specifying a target name will open in either a new window, or new tab, consistent with what your user prefers.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
The problem is that Microsoft is fixing holes.
See, the root cause of these problems is that Microsoft took a bunch of architectural shortcuts that made it really easy for them to create a lot of nifty features, and also made it really easy for others to create a bunch of nifty exploits. And, surprise surprise, the exploits keep on coming.
But rather than fix the architectural problems, rather than admit that they messed up, rather than go back and try to re-create all those nifty features with a solid architecture, rather than remove features that depend on the shoddy design, instead Microsoft's response is to try to preserve their lousy architecture, and simply patch each individual hole as it is discovered. This is somewhat similar to plastering over the cracks in the walls as they keep appearing, rather than admitting that the foundation is failing and the whole house needs to be rebuild.
There is no relief in sight for Microsoft users, ever.
This is a good example of why everybody should be embracing open standards rather than using proprietary methods.
In the end you could be stuck using insecure software because you're locked in.
It's funny how some people just deny the existance of lock-in. When you have people using insecure software because they've made use of proprietary/closed methods, surely it's plain to see the truth?
Linux/Open Source/Anti Microsoft News
Why would they want to take such a risk by running Internet Explorer?
"Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box."
Why use IE for all, potentially harmful web access when it's only needed for a couple applications? You could restrict IE to only work for certain sites, and make your users use Mozilla/Firefox/Opera/etc for the rest of their web. Put IE in it's place, only where it's needed, and use something better for the rest!
There is a certain amount of pragmatic value in your advice, but you entirely miss the point of what the Internet is, and why so many people have worked so hard for so many decades to make it work. This is a medium for sharing and accessing data with an unlimited number of individuals, who may be known or unknown.
Standards are written and revised to account for this, and provide security in the face of exposure. Some people/companies are just too dumb/lazy/evil to actually fix the problems they know exist. And the average internet user should not be expected to understand the technical issues involved in this security. A web browser, by definition, should be able to connect to unknown/untrusted hosts and present the user with whatever kind of "rich multimedia experience" the content creators have imagined - within a framework of safety and protection from malicious code. This is more than possible. This should be taken as a given.
Now, as I said, the reality is not so perfect. There are known exploits and unknown exploits. I'm sure there are probably even unknown unknowns. But, I will consider the internet to have been a complete failure if I end up restricted to having the reality of the great-big-world around me presented by the likes of the CNN and BBC.
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
I'm guessing that you carefully explained to them why it wasn't working for you, and what they could do about it. That was kind and well-intentioned; you did most of the initial work for them. I'm sure that whoever read your emails realized that you were another of those linuks kooks that have been pestering them, and trashed your email.
If you had written a snail-mail letter to the president of the company, saying something like:
You would have been recognized as part of their target demographic (unsophisticated, has money), and they would have seen a need for action. There would have been a memo from on high saying: ``Find out what happened, and make sure it never happens again.''See what I've been reading.
yeah.. and its funny how that works:
IE="no software installed"
Mozilla="extra software that needs approval to be installed"
If the 95% of the population which uses IE were paying attention, they'd have ActiveX and Javascript turned off today, and be unable to access any of these sites.
What makes Microsoft so dangerous is not just that their software is shit. Its that in the process of subverting the market they scooped up the segment of the population that is completely oblivious to the inner workings of their computer.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
If an application requires a specific piece of client-side software, it's not a "web application." If it were a "web application," it would work in a "web browser." Maybe it uses some HTML somewhere for presentation, but it's just a Windows Application in reality.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).