Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
I am beginning to feel if I am going to be screwed by microsoft they should buy me dinner and a movie first...
Off to check for updates.
The IE security issue dejure.. How about an MS update that simply shuts down all that extra junk by default instead of leaving it open for average Joe User? Make them turn it on if they absolutely need it for whatever reason. Duh!!
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Unfortuneately, some businesses restrict what software the employees can install on their computer. I've written about such an experience here.
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
I tried the demonstration, and Norton popped up and prevented the thing from running. Apparently someone's on the ball somewhere.
Let's not stir that bag of worms...
Symantec catches this vulnerability as the following:
a tion: Quarantine
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Trojan
File: C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\67HK1KWV\installer[1].html
Loc
Computer: Computer
User: User
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, June 09, 2004 11:56:26 AM
Most corporations should have little to worry about.
-Tolerate my intolerance
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
Reference to Microsoft advice (he was trying to be funny, you insensive clod.)
.Usually, people that find a security hole will kepp it to themselves and alert the vendor about it. Then, giving them substantial time (in Microsoft's case) to fix the hole, you can release the hole and how it was exploited. When a hole is released in the wild without the vendor knowing about it, it's called 0-day.
Hmmm.
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
You're wrong. Javascript doesn't need to be avoided, it needs to be used sensibly. When it's used in the right way, it can improve the usability of a website.
Just because a website uses Javascript, it doesn't mean that it locks out those who have switched it off. The key is to educate the clueless Javascript abusers that do things like <a href="javascript:... or <a href="#" onclick... so that they don't lock people out.
The exploit page in reference installs a toolbar that causes your searches to be redirected to
y .com
http://www.i-lookup.com
If you go to that page, what is the top search.
Uninstall spyware.
People get infected and use there own search to find a product to fix the problem.
Anyway, enough with the fun stuff, How about someone, the FBI or some agency go after who ever owns www.i-lookup.com.
i-lookup.com
production
Aztec Marketing S.A.
aztecmanager@hotmail.com
Sabana sur
Supermercado AM PM
San Jose
Costa Rica
ns1.dnsoutofcountry.com
ns2.dnsoutofcountr
Come on, we helped raid drug lords in columbia, we feret out saddam and are still chasing bin laden.
Why not us the long arm of the law to give this ahole a major smack down!!!
Personal Website
While we're dealing with the extra load processing validations that used to be client side (you know, the extra load only a few hundred thousand users visiting every day can generate), maybe then we can start explaining to the people that actually make the decisions why doing all of the above made our site more inconvenient, not less.
Or maybe a certain large company can actually take some responsbility and help make more secure the tools that we need for our business to work effectively.
Disclaimer: usually, the people that know how to turn off Javascript are the ones that are capable of inputting data into a form the right way the first time, so we don't have a big problem with that.
-Rob
Marriage doesn't have to suck!
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
And worse, that happens in every IE descendant? There are a lot of "alternative" browsers that are uses IE engine to render html, sites, help files, whatever to show their content, including specially outlook (and that probably will mean a new mail worm in the next few days).
It is RC1 and it is available here
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
Right... so it's time to turn to Struts and JSPs for validation every form on our site.
Yes, because you can't trust the client! You can't trust that the client has javascript turned on. You can't even trust that he is running a web browser. He may be running some cool scripts an POSTing whatever malicious data he thinks would be fun to try.
Really, if it is important to validate your data you need to do it on the server!
)9TSS
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
Are you crazy? Client side validation is _only_ useful for cosmetics, being able to alert the user to an error before they submit the form. Anyone who doesn't validate everything on the server is just bending over and asking for it...
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
You forgot to tell the reader one thing - all those bugs in Mozilla are already fixed.
None of the ones in the IE list are.
Either you don't read carefully or you are purposefully trying to mislead, I can't decide which.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Get rid of IE. True you can't uninstall it, but you can at least use a different default browser.
If your a network administrator and there are certain websites that are needed for work and require IE, that's simple enough to solve.
Install a proxy, set IE to use that proxy and have the proxy only allow those websites to load. Then pre-load IE with those favorites. Finally have every user send each company an email a day bitching about their broken software.
The additional cost of the IE proxy, well simply explain to management that is part of the overhead of using windows and IE. Further explain that website X, X, X, X are security holes and that for now you've got to do the best you can to get around it. When they balk at the security thing, explain that at least weekly for the past couple years there has been a vulnerability in IE which could have given complete access to accounting.
That puts things in perspective. Now you can use Mozilla/Firebird, users can still browse those sites they need for work that are IE only. And the boss is aware that Microsoft = serious security risk, one that would allow someone else to take their money and devalue the company stock.
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).