Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

6 of 696 comments (clear)

  1. Yet again... by LaserLyte · · Score: 5, Insightful

    This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.

    It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.

    I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE... ;), but why should a web browser EVER be capable of causing such chaos?

    A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.

  2. javascript by checkitout · · Score: 5, Insightful

    I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.

  3. Re:Not everyone can use Mozilla... by Mr.+Sketch · · Score: 5, Insightful

    In that case it would be up to the network administrator to put secure software on the users machines. Why would they want to take such a risk by running Internet Explorer?

    --
    Things you think are in the Constitution, but are not.
  4. IE never gives me problems by Darth+Cider · · Score: 5, Insightful

    IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?

  5. It's getting to be more than just a nuisance by Dodger73 · · Score: 5, Insightful

    This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.

    The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.

    On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.

    Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:

    If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.

  6. There's nothing wrong with Javascript by hopethishelps · · Score: 5, Insightful
    As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway.

    What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
    For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
    (Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).