Another Zero-Day IE Scripting Exploit

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

Re:Dang, what a surprize!

[RebelWebmaster]

Funny enough, that seems to be the way Microsoft is heading with XP SP2. Automatic Updates turned on by default, Windows Firewall greatly improved and turned on by default, IE set to a higher default security level, the Messenger service disabled by default, and more.

Re:Fix now available

[RobertB-DC]

You can download a fix for this here.

Or here, for that matter. But seriously, when I started running Opera at work a couple of years ago, people would see me using something other than IE and they'd just shake their heads. Why would anyone want to use a "non-standard" browser?

Yesterday, I had to download some MS software, and my co-worker still laughed a bit when I had to copy the URL out of Opera to IE. But there's definitely more respect now... especially since the Data Security folks just sent a company-wide email telling us to high-tail it to windowsupdate.com... again...

Re:Not everyone can use Mozilla...

[u-235-sentinel]

Unfortuneately, some businesses restrict what software the employees can install on their computer.

I understand where you are coming from. I had to fight for my netscape/mozille installation while working for a military installation as a contractor. The attitude of "One Military One Operating System" still rings through those halls. Pretty stupid attitude IMO. I would respond "One Military One Missle System". Needless to say, they didn't laugh ;-)

Basically whenever a new worm or virus came out they were VERY busy. I was responsible for the Solaris and Linux servers and was quite amused. Occasionally I pointed out how calm my life was compared to their frantic patching sessions. Sure I had patching that was needed now and then. Certainly was nothing like their experiences :-)

Time to get JavaScript off your site

[Animats]

Web site design today needs to eliminate JavaScript, as more people turn it off. It's important that your e-commerce site be able to process a sale without JavaScript. If it can't, you're losing customers.

Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.

Re:Time to get JavaScript off your site

[TrentL]

But some sites REALLY require JavaScript. For example, in Hotmail (yes, another MS creation), none of the links are really links. They are JavaScript function calls, which in turn redirect to the page. I don't want to whore my website too much today, but I have a pic here. Hotmail is just one example. There are other sites that do this as well.

Turn off javascript?

[The+Fanta+Menace]

I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.

Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...

Re:Dang, what a surprize!

[JohnnyComeLately]

At the risk of being redundant, though, you're still at their mercy of updates. It's a false sense of security and I think most educated users want control of upgrades/patches.

My Favorite quote was at the end:

With the code already available on the Net, this is effectively a security nightmare ... unless you're a Mozilla or Opera user that is.

Even though I like Unix, suffer through Linux, and use Mozilla for mail, I prefer Explorer. Despite that preference, though, I use Opera now 80% of the time for exactly the reason of this parent article. I have other things to do than keep abreast of the latest hole M$ has been ignoring or constantly patching.

Whats funny about this..

[cyberlotnet]

The exploit page in reference installs a toolbar that causes your searches to be redirected to

http://www.i-lookup.com

If you go to that page, what is the top search.

Uninstall spyware.

People get infected and use there own search to find a product to fix the problem.

Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.

i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountry .com

Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.

Why not us the long arm of the law to give this ahole a major smack down!!!

Getting the word out is hard

[Lucky+Kevin]

I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.

Most people, of course, have never heard of Firefox.

Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.

Idealism must mesh with reality...

[codguy]

Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.

However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening. ..

Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.

As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.

Re:Not everyone can use Mozilla...

[u-235-sentinel]

Just a random military installation? I beleive Mozilla is authorized in Air Combat Command. Also, the systems are automatically patched via a script that starts every time a user logs into a workstation. So please do some research before saying "ohhh, the military does this." The military is big and always changing, and you are far from representing "the military."

Perhaps you are right. Today mozilla "may" be authorized.

FYI... Air Command came down with that comment of "One Military One Operating System". They were pushing Windows clients When I mentioned we had Apple and Linux clients they were upset and told us to "Get with the program" before hanging up. It was a sensitive point apparently.

One more note. As I recall, Congress had stated the Military could not force everyone to any specific operating system or product. It was a choice allowed to all branches. Apparently there was a scandal years ago in which someone of authority had forced people to Microsoft products shortly before retiring. Unfortunately he joined Microsoft at that point which lead to an investigation and some rules being passed. I don't have the url handy at the moment.