Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Funny enough, that seems to be the way Microsoft is heading with XP SP2. Automatic Updates turned on by default, Windows Firewall greatly improved and turned on by default, IE set to a higher default security level, the Messenger service disabled by default, and more.
You can download a fix for this here.
Or here, for that matter. But seriously, when I started running Opera at work a couple of years ago, people would see me using something other than IE and they'd just shake their heads. Why would anyone want to use a "non-standard" browser?
Yesterday, I had to download some MS software, and my co-worker still laughed a bit when I had to copy the URL out of Opera to IE. But there's definitely more respect now... especially since the Data Security folks just sent a company-wide email telling us to high-tail it to windowsupdate.com... again...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Unfortuneately, some businesses restrict what software the employees can install on their computer.
;-)
:-)
I understand where you are coming from. I had to fight for my netscape/mozille installation while working for a military installation as a contractor. The attitude of "One Military One Operating System" still rings through those halls. Pretty stupid attitude IMO. I would respond "One Military One Missle System". Needless to say, they didn't laugh
Basically whenever a new worm or virus came out they were VERY busy. I was responsible for the Solaris and Linux servers and was quite amused. Occasionally I pointed out how calm my life was compared to their frantic patching sessions. Sure I had patching that was needed now and then. Certainly was nothing like their experiences
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.
I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.
Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...
-- Even if a god did exist, why the fsck should I worship it?
How do you do that with HTTP?
Well, you could do it with CSS
--Nick
My Favorite quote was at the end:
Even though I like Unix, suffer through Linux, and use Mozilla for mail, I prefer Explorer. Despite that preference, though, I use Opera now 80% of the time for exactly the reason of this parent article. I have other things to do than keep abreast of the latest hole M$ has been ignoring or constantly patching.You're using conflicting options. /q is a quick format (only empties out the FAT) and /u is an Unconditional format (writes 0xFE to all the sectors). Try /autotest which empties out the FAT without confirmation.
Next you'll tell us cookies are "tracking you" and you should turn that off as well.
You should. In addition to disabling most if not all of JavaScript of course. I mean, having JavaScript enabled isn't gonna exploit your privacy, but it'll make web browsing punitive. But hey, that's why there's an option for discerning folks like myself to turn that shit off.
As for cookies, it's those little fuckers that most frequently allow dickwads to build a profile on you and sic marketing departments on you like there's no tomorrow.
Personal case study. Use to browse with cookies on. Since I'm on any no-call list I can get on, my postal mail box is flooded with circulars and mail order catalogs. I call it "bringing in the trash" every time I open up my mail box. In three years at one address, I estimate that I've received a volume of 1000 cubic feet of circular and mail order paper. Zero cubic feet of which I did more than take it out of the mail box and dump it in the trash.
Then, I move across town. Determined to stem if only a little of this motherfucking garbabe. I wise up and decide to browse defensively, run my own mail server to use desposable accounts, and turn off cookies in Mozilla (and lately Konqueror). Almost seven months roll by and it seems to be working. It also helps that I buy more stuff locally instead of over the web or via mail order.
Month eight, I put together a new PC and (ugh) forget to switch off cookies in my browser. It was like a switch was turned ON. My postal mail box, after seven months of sanity, has a relapse and starts shitting paper like it did before my move.
It's far from a perfect case study, and I realize asking folks to live like Ted Kazinski isn't the answer. But don't tell me that cookies and JavaScript are required for the modern web. Unless I'm totally wrong and the modern web continues to digress, but I digress...
The exploit page in reference installs a toolbar that causes your searches to be redirected to
y .com
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Personal Website
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
No, javascript is not essential. All my normal browsing is done with no javascript, flash or cookies, filtered through privoxy (to get rid of ad junk). I run on Linux so there is no Active X or other obnoxious plugins either. If your web site requires flash or javascript to operate, I won't use it. Simple as that. Bad for you, not for me. (But sometimes I just look at the source to figure out the links and cut/paste them to go there anyway.)
The notion of a browser executing random stuff it encounters on the internet is so mind-boggingly dumb and insecure. It's almost as dumb as having a mail-reader that executes stuff that is being sent to it from anyone...
There are a few exceptions; sites that need javascript that I really do want to use. For these, I fire up another browser just for the purpose of entering that site. And close that browser when I'm done.
If you design sites with a wide audience, you may want to ensure that anyone can use the site, from any browser using basic technology (HTML).
If you use javascript, animations or flash, you probably just want to promote something or just be cool. I hate those sites. I love sites with content.
)9TSS
I am fortunate enough to go to a school where the lab computers have Firefox on the desktop by default, and as the default browser. The head lab admin is a Linux guy, and this is one of the concessions that our evil ITS made to him. Now if only they would dump exchange...sigh.
IE generates no revenue for MS and since people are willing to use it regardless of the holes, there's no incentive for them to overhaul it beyond the occasional patch.
But why are MS always trying to put all the other browsers out of business for something they get nothing back from?
http://blog.nexusuk.org
...run Firefox from removable media. I'm sure a similar stunt could be pulled for Thunderbird or Mozilla if you need mail.
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
I fail to understand your logic, everyone of those vulnerabilities has been fixed. The listed "workarounds" incidentally, are just detailing how to avoid the problem in the affected versions.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
It has to be lack of knowledge.
If people knew they could be hacked by using IE, I doubt people would use it, especially since people who don't know much about viruses and security exploits tend to be very afraid of it.
I always used IE, then a mate told me about Firefox (or Phoenix, as it was called back then), I didn't really want to change because although Microsoft stuff is terrible, we know how to use it and they often have lots of cool features (take Word and Excel, for example). However, I did download it, and I havent used IE ever since (apart to check that my perfectly correct XHTML code actually works in IE). If I knew about Firefox (and its advantages) earlier, I would have used it.
Since then I have tried (and succeeded) in swapping lots of people over to Firefox, however they have ALL been very very slow to do so, and hesitated a lot. Simply because they think IE is better, safer, more stable, faster, etc.
Just a random military installation? I beleive Mozilla is authorized in Air Combat Command. Also, the systems are automatically patched via a script that starts every time a user logs into a workstation. So please do some research before saying "ohhh, the military does this." The military is big and always changing, and you are far from representing "the military."
Perhaps you are right. Today mozilla "may" be authorized.
FYI... Air Command came down with that comment of "One Military One Operating System". They were pushing Windows clients When I mentioned we had Apple and Linux clients they were upset and told us to "Get with the program" before hanging up. It was a sensitive point apparently.
One more note. As I recall, Congress had stated the Military could not force everyone to any specific operating system or product. It was a choice allowed to all branches. Apparently there was a scandal years ago in which someone of authority had forced people to Microsoft products shortly before retiring. Unfortunately he joined Microsoft at that point which lead to an investigation and some rules being passed. I don't have the url handy at the moment.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
You know, if you had half a brain you'd figure out that most of what you say is complete and utter crap.
I thought so too, but now I'm not so sure anymore.
/. appears alongside the folder tree. Now Help|Info says Internet Explorer.
On Windows XP, I started Windows Explorer. The Help|Info dialog box (it's a Dutch Windows, I guess that's Help|About in English) says Windows Explorer. I typed http://slashdot.org. As expected,
The reverse is also true: start Internet Explorer, Help|Info says Internet Explorer. Type C:\ in the address bar and press enter, now Help|Info says Windows Explorer.
In contrast, when viewing a PDF, Help|Info still says Internet Explorer, not Acrobat Reader.
This sig under construction. Please check back later.
Riiiight... Like how Apache has a larger market share than IIS, and it has way less security vulnerabilities.
I'm sure there's plenty more holes in IE left to be found, and many more will be created when other crap is stacked on top of it and leveraged by the operating system.
A good thing is healthy competition, and good open source alternatives should make Microsoft improve the quality of their products to compete; we have just started to see that.
grep -iw skynet
At the risk of veering off topic, ATMs are another area where people need to get the word out. Most banks that are considering switching to Microsoft software on the ATM screen are doing it so they get nice pretty colors and can run ads there. I encourage everyone whose bank or credit union still has an old fashioned green or amber ATM display to tell them you want security over bells and whistles. You might even want to tell them you would move your money to avoid risking trusting it to a Windows CE based "solution".
To at least swerve back towards the topic, many of the better posts on this thread also make great ammunition for arguements against 'upgrading' ATMs to Microsoft based products.
Who is John Cabal?
Would it be possible to create a web browser than runs as a java applet within IE? I'm thinking...port Mozilla to Java....create an applet. Then Let people with IE only systems go to the applet page and execute the Mozilla Java application and BAM! They're running Mozilla (or some browser) without installing it.
Any thoughts?
They aren't...I mean, I know slashdot wants you to BELIEVE that Microsoft was actively trying to crush Netscape through the unfair practice of "not charging for their software," but in fact they were just trying to offer a high quality web browser that would entice people to buy their web server software. Microsoft never showed any intention of selling IE, and they continue to give away the newest version which works just fine on their older operating systems. However, they've made a ton of cash selling the IIS enabled "server" versions of their operating systems. It's a common practice no different from Sony taking a loss on the PS2 and making it up in software...or Adobe and Macromedia giving away the reader/player software generated by their expensive creative suites.
Sure, Microsoft integrated the browser into their OS, but that's not such a bad idea, either...file browsing and web browsing are two very similar tasks and it did make sense in an ivory tower sort of way to do both of them with the same code. Many of my favorite features in Windows Explorer are results of this integration...things like Favorites.
I mean, what proof -- heck, what vague hypothesis do you have that, since the "death" of Netscape, Microsoft has stood in the way of any of the dozens of alternative browsers out there? Opera's still around. Mozilla's still kicking. OmniWave, Konqueror and Safari are still working great (I am posting this FROM Safari, in fact). In fact, all of these are more copiously updated than Microsoft's web browser.
It is my opinion that Microsoft wants to get rid of IE, or at the very least, stop improving it. It has cost them a lot of money and doesn't offer a whole lot in return. It makes good business sense to halt new development in IE, and let somebody else become top dog.
Hey freaks: now you're ju
Where exactly IE has access to ring0? Any facts?
Just curios.
- Arwen, I'm your father, Agent Smith.
- Well, you're just Smith, but my father is Aerosmith!