Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
In that case it would be up to the network administrator to put secure software on the users machines. Why would they want to take such a risk by running Internet Explorer?
Things you think are in the Constitution, but are not.
I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
Why read the article when I can just make up a snap judgement?
Yeah, so who forced IE to be integrated with the OS?
Sure, don't blame X for being buggy, it's bugginess is result of braindead design.
Don't blame me for setting your house on fire, I'm a habitual smoker and can't stand a hour without a smoke.
Integration with OS was a conscious and completely wrong move and nobody else is to be blamed for that than Microsoft!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
But that's the problem. The web browser shouldn't be integrated that way into the system.
Because if you are still using IE after all this time - and all these vulnerabilities, obviously someone in your IT chain is incompetent.
Whether it's the CEO, the IT manager, or you personally, someone isn't doing their job. The typical lame excuses of incorrect rendering or ActiveX or the fact that people can't visit their favorite game sites are all solvable. Obviously someone just doesn't care enough.
I don't think anyone is bound to coddle you, in any event.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
You can download a fix for this here [Mozilla].
First you should read this (which is known to be incomplete), and this, a rather strange policy.
Mozilla is a very nice browser, but it's not the kind of fortress most users think it is.
You're wrong. Javascript doesn't need to be avoided, it needs to be used sensibly. When it's used in the right way, it can improve the usability of a website.
Just because a website uses Javascript, it doesn't mean that it locks out those who have switched it off. The key is to educate the clueless Javascript abusers that do things like <a href="javascript:... or <a href="#" onclick... so that they don't lock people out.
While we're dealing with the extra load processing validations that used to be client side (you know, the extra load only a few hundred thousand users visiting every day can generate), maybe then we can start explaining to the people that actually make the decisions why doing all of the above made our site more inconvenient, not less.
Or maybe a certain large company can actually take some responsbility and help make more secure the tools that we need for our business to work effectively.
Disclaimer: usually, the people that know how to turn off Javascript are the ones that are capable of inputting data into a form the right way the first time, so we don't have a big problem with that.
-Rob
Marriage doesn't have to suck!
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?
---
Adult Toys
You're right. It's so much easier to support every possible browser/OS combination.
"The only reason there are so many of them [ security vulnerabilities] in IE is that its integrated well with OS."
Actually it's the exact opposite: It's integrated so piss-poorly with Windows, with no regard for security implications of the design. MS could have easily set up IE to play nicely in its own application space, rather than weaving it deep into the OS like a brain cancer.
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Are you crazy? Client side validation is _only_ useful for cosmetics, being able to alert the user to an error before they submit the form. Anyone who doesn't validate everything on the server is just bending over and asking for it...
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
While we're dealing with the extra load processing validations that used to be client side
If you're not validating data server-side then you are asking for trouble - Client side validation makes things nicer for the end user since they are told about invalid data sooner, server-side validation stops someone (intentionally or unintentionally) entering junk into your systems. And remember that allowing a user to enter junk is potentially destructive to your systems. You should really be doing both client side and server side validation - the client is untrusted so never trust that the data coming from the client is valid, even if you _think_ it probably went through a validator on their end.
http://blog.nexusuk.org
0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?
"Politicians find new names for institutions which under old names have become odious to the people."
Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
As an end user, there is pretty much nothing I can do about this.
Yes, there is. Don't visit those sites and do not buy their products. If you just shrug your shoulders, fire up IE, and browse their site and/or buy their products anyway, why should they change it?
Why would they want to take such a risk by running Internet Explorer?
"Because many web based applications require it. Our SAP system for procurement for instance requires IE 6 on a Windows box."
Why use IE for all, potentially harmful web access when it's only needed for a couple applications? You could restrict IE to only work for certain sites, and make your users use Mozilla/Firefox/Opera/etc for the rest of their web. Put IE in it's place, only where it's needed, and use something better for the rest!
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
I'm guessing that you carefully explained to them why it wasn't working for you, and what they could do about it. That was kind and well-intentioned; you did most of the initial work for them. I'm sure that whoever read your emails realized that you were another of those linuks kooks that have been pestering them, and trashed your email.
If you had written a snail-mail letter to the president of the company, saying something like:
You would have been recognized as part of their target demographic (unsophisticated, has money), and they would have seen a need for action. There would have been a memo from on high saying: ``Find out what happened, and make sure it never happens again.''See what I've been reading.
If the 95% of the population which uses IE were paying attention, they'd have ActiveX and Javascript turned off today, and be unable to access any of these sites.
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).