Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...
Off to check for updates.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
Turn off JavaScript and try to buy something from your site. If you can't, you have a problem. Yes, you. Not your customer. You, the web designer.
Exploits like these, on the other hand, are akin to a passive attack from the inside (like an infected laptop connected from inside the firewall) but are even more serious, because very little action is required on part of the user to affect the attack and *very* difficult to monitor and contain.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
See, this is why I stay away from malicious web pages in the first place. You just can't trust those things!
Hey freaks: now you're ju
I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
Let's not stir that bag of worms...
I'd *love* to turn off Javascript, but there's so many idiots that use it in their webpages these days that using a large proportion of the web would be impossible.
Not that this currect problem affects me, since I use Galeon, but still, I'd love to see the end of Javascript...
-- Even if a god did exist, why the fsck should I worship it?
Symantec catches this vulnerability as the following:
a tion: Quarantine
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
-Tolerate my intolerance
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.I bet most of the people on slashdot are aware of the constant problems with IE/Windows. Maybe if Microsloth got smart, they would include a popup with minesweeper and Solitaire that would check their systems for vulnerabilities while they were playing the game. If it automatically patched their systems, GREAT.
I think something like that would knock out most of the vulnerable sales people, secretaries, and executatives in the business world.
Why read the article when I can just make up a snap judgement?
Yeah, so who forced IE to be integrated with the OS?
Sure, don't blame X for being buggy, it's bugginess is result of braindead design.
Don't blame me for setting your house on fire, I'm a habitual smoker and can't stand a hour without a smoke.
Integration with OS was a conscious and completely wrong move and nobody else is to be blamed for that than Microsoft!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
But that's the problem. The web browser shouldn't be integrated that way into the system.
Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.
Hmmm.
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
Zero-day means the exploit was created on the same day the bug was found. For example, if somebody finds a hole in Apache (to pick a random softwar title) but nobody begins to exploit it until, say, a week later, it is not zero-day. This thing was so simple to exploit that somebody already has a working exploit running.
If my answers frighten you, stop asking scary questions.
The exploit page in reference installs a toolbar that causes your searches to be redirected to
y .com
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Personal Website
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
Do people even use IE anymore? Is there some advantage, or is it just lack of interest/knowledge to get a new browser?
---
Adult Toys
It is RC1 and it is available here
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
"The only reason there are so many of them [ security vulnerabilities] in IE is that its integrated well with OS."
Actually it's the exact opposite: It's integrated so piss-poorly with Windows, with no regard for security implications of the design. MS could have easily set up IE to play nicely in its own application space, rather than weaving it deep into the OS like a brain cancer.
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
0-day does not mean that there is "no-fix". No-fix just means that it is currently exploitable.
0-day hacks by definition are generally unknown. They may have been newly discovered, they may have been discovered by someone ages ago. The key is that they are generally unknown, and therefor can be used as a sort of currency (having discovered or access to an 0-day can get you into groups that trade in such things), or can be utilized as a last ditch approach at comprimising a machine you absolutely need to compromise (actually using an 0-day for something mundane would be a tremendous waste of a valuable resource).
This is just another publicly visible hack of IE. And thinking about it, go ahead and call them 0-day's, those in the know, know better, those that don't... Well who cares.
I love how so many articles contain ridiculous jabs thrown in right after the fact-finding portion. Disable Javascript? LOL. What the h-e-double-hockey-sticks is the submitter thinking?
"Politicians find new names for institutions which under old names have become odious to the people."
Nothing's a fortress, not even Linux (Hello? GNU, Gentoo, Debian, Gnome, Savannah, and more were hacked last year).
Give Mozilla the widespread usage (which is like industrial-strength beta-testing) that Internet Explorer has and see how many holes are blown open in it. Nothing is perfect, and it's silly and arrogant to pretend one project is a perfect solution above all others. This goes for anything, from operating systems to web browsers.
I'm an Opera user through and through, but most of my friends use MyIE, which gives them tabbed browsing, pop-up blocking, and more, but using IE's system libraries to render pages. It's their choice.
You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.
None of the ones in the IE list are.
Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Sigh.
Remove Internet Explorer from Windows 2000. (Free)
Remove Internet Explorer from Windows XP.(Free)
FDV
...and not use IE. JavaScript, while often abused, is still useful for proper end-user UI feedback. Using a good browser (Moz/Firefox/Opera/!MSIE) will clean up most of the annoyances with JS problems.
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
Sorry, I think you're wrong. It's not a virus. It's a virus and general malware delivery toolkit.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
More than can be provided under Linux at the moment. Trust me, if I could have rolled out Linux desktops, I would have done so long ago.
I'd rather have a KDE desktop that I can plug my camera and PDA into.
I'm sure you would. Equally, it's my job to ensure that you can't :-) It's a vector for introducing
unauthorised and potentially harmful
files onto our corporate network. No thank you.
You must have some nasty DOS thing holding you back.
No, but there's a lot more to running a standard office than just Word, Excel, mail and web browsing. The call centre need integration with the phone system, for example. Various people need MS Project or Visio. Finance need SAP. Marketing and analytics need SAS. The creative team use Photoshop, Illustrator, etc. Yes, a lot of people could get 90% of their job done with a Unix desktop. But that remaining 10% is important, and the missing 10% is different for each department.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).