Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Zero-Day IE Scripting Exploit

Posted by Hemos on from the what-wonderful-toys-they-have dept.

billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."

17 of 696 comments (clear)

  1. Yet another reason.. by Anonymous Coward · · Score: -1, Troll

    .. not to use Internet Explorer.

    This isn't widely known, but there's a feature in Internet Explorer that lets you get the user's clipboard contents through one line of javascript code. This can then be embedded in an <iframe> and POSTed to a cgi which writes it to a file. In fact, this is exactly what the new lastmeasure code does. Let me tell you, the GNAA has gotten some pretty neat stuff (account info, diaries, trade secrets, you name it, they got it) from people who like to select the text they're reading.

    So while I agree that exploits are a problem, at least those get patched. Features like are there to stay.

  2. Obligatory by HogynCymraeg · · Score: -1, Troll

    HAHAHA!! I use linux!!! IE SuXX0rs!!!!!

  3. GNAA Announces Victory Over AOL by Anonymous Coward · · Score: -1, Troll
    GNAA Announces Victory over AOL GNAA Announces Victory over AOL

    Monday, May 17 2004, GNAA, Nigeria

    "Who is the Greatest Man Alive?" - If you ask Gary Niger, he'll tell you it is most definitely Osama Bin Laden.

    The Gay Nigger Association of America (GNAA) announced today further victory in their current program to bring about total breakdown of the AOL customer relation system.

    AOL Corporate Policy has been changed after GNAA (Gay Nigger Association of America) special operative Gary Niger's constant abuse of their "secret question" program designed to provide a futile illusion of security for the mongoloids and sodomites that comprise their customer base.

    The "custom question" option, allowing users to create their own question, has been removed following the efforts of Niger and other fearsome Gay Niggers from the GNAA's top secret "Black Ops" divison.

    With the removal of this option, trolls are now forced to use pre-approved AOL "secret question" options when signing up for fraudlent accounts for the purpose of downloading gay pornography and meeting up with the clandestine "homo thug" underground.

    "I don't know why it changed, exactly. Corporate HQ didn't tell us," said Tracy, an AOL representative. "It happened two or three days ago."

    Tracy was unavailable for further comment, as she was masturbating furiously under her desk - claiming that "Ten guys were on the phone and (she) had to take them all on."

    An AOL executive, speaking under the condition of anonymnity, said the change in policy came after widespread employee unrest, culminating in an incident of mass sodomy taking place in the Ogden, Utah call center.

    Gary Niger and other members of the GNAA "Black Ops" division continue to use the "custom question" trolling technique with various punjabis in the Bangalore, India call center - who haven't gotten the memo yet.

    Meanwhile, GNAA Command is working on the creation of new methods of trolling to work within the confines of this new standard, still flush with victory.

    Nick Berg's head was unavailable for comment at the time of this release.

    About America Online, Inc.

    America Online, Inc. is a wholly owned subsidiary of subsidiary of Time Warner Inc. Based in Dulles, Virginia, America Online is the world's leader in interactive services, Web brands, Internet technologies and e-commerce services.

    About GNAA:
    GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
    gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

    Are you GAY ?
    Are you a NIGGER ?
    Are you a GAY NIGGER ?

    If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
    Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
    GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

    Why not? It's quick and easy - only 3 simple steps!

    First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it. (You can download the movie (~280mb) using BitTorrent, by clicking here.

    Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website

    Third, you need to join the official

  4. billyonerrors equipped for patriot act compliance by Anonymous Coward · · Score: -1, Troll

    in order to avoid prison time/loss of nazi style 'privleges'?

    that's another script entirely.

  5. Re:Not everyone can use Mozilla... by Xenkar · · Score: 0, Troll

    Two words: Job security

    If network administrators aren't battling a constant stream of viruses, worms, and other garbage, they may become redundant.

  6. Re:javascript by Anonymous Coward · · Score: -1, Troll

    javascript is a requirement on the modern web.

    People need to learn that Javascript causes vunerabilities and needs to die. Switch to something more powerful and useful.

  7. Re:Mac hole by IamTheRealMike · · Score: -1, Troll
    Worst of all, IIRC Apple had known about the problem for over 6 months. The security problems Safari and OS X have make these IE problems look patsy in comparison - from reading the description you'd have to have a seriously good understanding of the internals of Internet Explorer to find these vulnerabilities, whereas the OS X/Help Viewer/DMG mounting vulnerabilities were very easy to understand and exploit.

    Fortunately for Apple their market share is low enough that these exploits are mostly confined to theory - scummy spyware companies don't target OS X because the cost:benefit ratio isn't good enough. Same for Linux (which is equally not immune to URL handler/scripting vulnerabilities).

  8. Cross-platform security holes by iamacat · · Score: 1, Troll

    In simple terms, the link uses an unknown vulnerability to open up a local Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm

    Oh boy, I know Bill gave Steve 400M or so before, but now they even cooperate on security holes?? Halliluah! I still say Apple's exploits are more user friendly. No need for "extremely sophisticated use of encrypted code".

  9. Re:The Salad Dressing theory by mrtroy · · Score: 0, Troll

    You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.

    Now, shake up the bottle. That is what Microsoft software looks like.

     Nuh uh!!! I have seen their CRM and Great Plains sales diagrams and there are LEVELS and stuff

    hahahahaa that is a great comment tho...its so true.

    --
    [I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
  10. Re:Kudos to Norton by swordboy · · Score: 0, Troll

    Norton?

    --

    Life is the leading cause of death in America.
  11. Re:Whats funny about this.. by Anonymous Coward · · Score: -1, Troll

    simple, the drug lords and saddam and bin laden never paid the repubs their protection money.

  12. Re:Not everyone can use Mozilla... by Anonymous Coward · · Score: -1, Troll

    IE sucks.

  13. Meanwhile, on the fourth floor... by bonch · · Score: -1, Troll

    A list of known Mozilla vulnerabilities.

  14. What about these? by bonch · · Score: -1, Troll

    Yeah, get back to me when they decide to fix that Mozilla/Firefox resource leak that's been around for over a year. According to the Firefox developers, it still won't get fixed in time for 1.0. This and other reasons are why I'm a strict Opera user.

    If you want recent flaws, visit Bugzilla sometime.

  15. Re:BugTraq by Anonymous Coward · · Score: -1, Troll

    You mean right after Al Gore invented it?

    Fuck you, idiot. Half the people reading your asinine comment see it as a tired, old joke. The other half see it as a tired, old joke told by a dipshit republican. You can go ahead and decide which group I fall into. Then you can curl up and die.

  16. Re:Not everyone can use Mozilla... by Saeed+al-Sahaf · · Score: -1, Troll
    Get a spinal transplant!

    Ignorant dumb ass. Are you 15 or do you just act like it?

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  17. Re:BugTraq by Phisbut · · Score: -1, Troll
    You mean right after Al Gore invented it?

    If only people could stop believing and repeating stuff they heard somewhere without checking the sources, we'd stop hearing stuff like "Al Gore said he invented the Internet, what a loser".

    Could you please tell me when and how he claimed that? I, on the other hand, can tell you when he didn't.

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming