Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...
Off to check for updates.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.
Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!
Hey freaks: now you're ju
I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
Let's not stir that bag of worms...
I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.
Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...
-- Even if a god did exist, why the fsck should I worship it?
Symantec catches this vulnerability as the following:
a tion: Quarantine
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
-Tolerate my intolerance
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.Doesn't zero-day mean that the bug came out the same time as IE? Didn't IE come out several years ago? And if one of these is already fixed in SP 2, that doesn't sound exactly zero-day either.
I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
Why read the article when I can just make up a snap judgement?
Yeah, so who forced IE to be integrated with the OS?
Sure, don't blame X for being buggy, it's bugginess is result of braindead design.
Don't blame me for setting your house on fire, I'm a habitual smoker and can't stand a hour without a smoke.
Integration with OS was a conscious and completely wrong move and nobody else is to be blamed for that than Microsoft!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
But that's the problem. The web browser shouldn't be integrated that way into the system.
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
The exploit page in reference installs a toolbar that causes your searches to be redirected to
y .com
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Personal Website
I do feel that linking to the exploit itself is a little like getting on TV and saying, "There's a security problem at this nuclear weapons facility, and here's how you'd exploit it and get yourself a nuclear bomb. But don't do it, because owning nuclear weapons (which the unguarded facility has, in warehouse 23-B) is wrong!"
But I also realize that shedding light on the issue will help sysadmins take care of the problem, and most script kiddies prefer to read sites about "hahaha hax0rzing is kew3l kekekekekekekekeke!!!! ^___^"
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
Microsoft used IE as a strategic tool. When it did so, browsers were in such a state of flux, that changing from Netscape 3 to 4 to wasn't much different than changing from Netscape 3 to IE 4. The mistake Microsoft is making is that if people start migrating away from IE, then there is no turning back. The browser market is moving slow, so the ease/incentive to move is significantly lower.
IT departments are going to be looking at changing browsers, and once they change, I doubt Microsoft will be able to regain the foothold.
Ok, I give up, why you?
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?
---
Adult Toys
It is RC1 and it is available here
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
The previous poster pointed out the wrong way. The better way is <a href= "yourlink" onclick= "popupFunctionOrWhatever('yourlink'); return false;">click here</a> . This activates your JS function for those that have it and provides a normal link for those that don't. The return false prevents the normal link from being activated if the onclick is performed by JS-aware browsers.
Constitutionally Correct
"The only reason there are so many of them [ security vulnerabilities] in IE is that its integrated well with OS."
Actually it's the exact opposite: It's integrated so piss-poorly with Windows, with no regard for security implications of the design. MS could have easily set up IE to play nicely in its own application space, rather than weaving it deep into the OS like a brain cancer.
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
I clicked on the link, what's the big deal? It didn't do anything but pop up a hollow box in the window.
Nothing installed, my system didn't crash. There were no apparent ill effects to clicking on that.
So why is everyone so worked up? I use Windows XP every day for some of my work, and haven't had a problem with malicious web pages in over a year.
I've been using FireFox for over a year, but that's probably just a cooincidence.
...run Firefox from removable media. I'm sure a similar stunt could be pulled for Thunderbird or Mozilla if you need mail.
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
I don't have any problems with Windows XP at all...zero, zip, none. None with IE either. Never done any updates either. Perfectly safe in fact...
My PowerBooks are the only thing that go online.
Sometimes the obvious takes longer.
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?
"Politicians find new names for institutions which under old names have become odious to the people."
If employees are able to buy stock, then they have another avenue of insisting on more-decent computing experiences at work. You go to the shareholders meetings and raise a stink over the problems with your software and bosses attitudes. There are several interesting avenues to explore there, pun intended.
There's also these things called unions, and they are useful for more things than just negotiating a raise. Unions have been used to help introduce worker safety,more sane and family friendly working hours, etc, so there's nothing stopping a union from working towards negotiating efficiency, either.
It's when you are JUST an employee and not a part owner, and when you are JUST negotiating alone instead of being part of a group that you will be constantly screwed in dealing with management problems.
Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.
None of the ones in the IE list are.
Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway
:
There aren't exploits I'm aware of for JavaScript. JavaScript was originally written by Netscape, and to all intents and purposes, runs in a sandbox.
Microsoft's implementation of JavaScript is called Jscript.
From when I can tell of the exploit, it has to do with Microsoft's insecure DHTML model.
From the MS documentation of the execScript method
execScript
Executes the specified script in the provided language.
Standards Information :
There is no public standard that applies to this method.
Shame that so many fucking "experts" can't get their terminology right.
Popup functions just annoy people who use tabbed browsing - specifying a target name will open in either a new window, or new tab, consistent with what your user prefers.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
The problem is that Microsoft is fixing holes.
See, the root cause of these problems is that Microsoft took a bunch of architectural shortcuts that made it really easy for them to create a lot of nifty features, and also made it really easy for others to create a bunch of nifty exploits. And, surprise surprise, the exploits keep on coming.
But rather than fix the architectural problems, rather than admit that they messed up, rather than go back and try to re-create all those nifty features with a solid architecture, rather than remove features that depend on the shoddy design, instead Microsoft's response is to try to preserve their lousy architecture, and simply patch each individual hole as it is discovered. This is somewhat similar to plastering over the cracks in the walls as they keep appearing, rather than admitting that the foundation is failing and the whole house needs to be rebuild.
There is no relief in sight for Microsoft users, ever.
Sigh.
Remove Internet Explorer from Windows 2000. (Free)
Remove Internet Explorer from Windows XP.(Free)
FDV
...and not use IE. JavaScript, while often abused, is still useful for proper end-user UI feedback. Using a good browser (Moz/Firefox/Opera/!MSIE) will clean up most of the annoyances with JS problems.
There is a certain amount of pragmatic value in your advice, but you entirely miss the point of what the Internet is, and why so many people have worked so hard for so many decades to make it work. This is a medium for sharing and accessing data with an unlimited number of individuals, who may be known or unknown.
Standards are written and revised to account for this, and provide security in the face of exposure. Some people/companies are just too dumb/lazy/evil to actually fix the problems they know exist. And the average internet user should not be expected to understand the technical issues involved in this security. A web browser, by definition, should be able to connect to unknown/untrusted hosts and present the user with whatever kind of "rich multimedia experience" the content creators have imagined - within a framework of safety and protection from malicious code. This is more than possible. This should be taken as a given.
Now, as I said, the reality is not so perfect. There are known exploits and unknown exploits. I'm sure there are probably even unknown unknowns. But, I will consider the internet to have been a complete failure if I end up restricted to having the reality of the great-big-world around me presented by the likes of the CNN and BBC.
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
Sorry, I think you're wrong. It's not a virus. It's a virus and general malware delivery toolkit.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Not a bad start.
We don't let them even see their C: drive, either (amongst other restrictions). Draconian? Yes, but it's the only sane approach for a corporate network. With what we give them, they can accomplish everything they need to get their job done.
Sane? I have my doubts When free OS exist that require far less effort on your part? What exactly do your users need to get their job done? How do you know? Do you realize that by doing all of that you have eliminated almost all of the reasons to run windoze in the first place? Why pay for something you don't want to use? I'd rather have a KDE desktop that I can plug my camera and PDA into. You must have some nasty DOS thing holding you back.
Friends don't help friends install M$ junk.
Riiiight... Like how Apache has a larger market share than IIS, and it has way less security vulnerabilities.
I'm sure there's plenty more holes in IE left to be found, and many more will be created when other crap is stacked on top of it and leveraged by the operating system.
A good thing is healthy competition, and good open source alternatives should make Microsoft improve the quality of their products to compete; we have just started to see that.
grep -iw skynet
At the risk of veering off topic, ATMs are another area where people need to get the word out. Most banks that are considering switching to Microsoft software on the ATM screen are doing it so they get nice pretty colors and can run ads there. I encourage everyone whose bank or credit union still has an old fashioned green or amber ATM display to tell them you want security over bells and whistles. You might even want to tell them you would move your money to avoid risking trusting it to a Windows CE based "solution".
To at least swerve back towards the topic, many of the better posts on this thread also make great ammunition for arguements against 'upgrading' ATMs to Microsoft based products.
Who is John Cabal?
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).
Would it be possible to create a web browser than runs as a java applet within IE? I'm thinking...port Mozilla to Java....create an applet. Then Let people with IE only systems go to the applet page and execute the Mozilla Java application and BAM! They're running Mozilla (or some browser) without installing it.
Any thoughts?
Na... the best firewall is a physical wall that blocks the computer from every physical contact (including the network cable)
Damn right, Jim. Watch the process in win2K for example, when you switch from a local page of some kind to something on the net. explorer.exe grabs a bit more memory and continues running with the same PID. I don't know much about the internals of Win2K, but IMO IE and windows explorer are one and the same. I don't think we should infer too much from the different applications.
Because of the built-in nature of IE, it is in fact impossible to fully remove it from Windows 2K IME without breaking the OS. I suspect it is similar in XP also.
Real stupidity beats artificial intelligence every time.
-- Terry Pratchett, Hogfather