Slashdot Mirror
Another Zero-Day IE Scripting Exploit
billstewart writes "A Computerworld Article reports a pair of vulnerabilities to Internet Explorer that allow Windows machines to be 0wned by a single click on a malicious web page. It was discovered by Dutch researcher Jelmer. As usual, the primary workaround is to disable Active Scripting for any sites that aren't Trusted, but you should have turned off that and Javascript years ago for safety anyway. At least one of the holes is fixed in XP Service Pack 2, but that doesn't fix previous versions of Windows and it's still only beta."
Here is the BugTraq Archive link.. WARNING.. The link to this site contains OTHER links to the ACTUAL exploit as well as the source code and a non-harmless display. Use at your OWN risk. Just thought I would put out the disclaimer.
Hmmm.
You can download a fix for this here.
Things you think are in the Constitution, but are not.
Workaround for this bug has been posted. "Don't click links!"
This really does get boring, reading about these IE holes and vulnerabilities. I'm still at a loss to understand why a powerful global corperation in business for decades is incapable of fixing fundamental problems with their browser which are showing up again and again.
;), but why should a web browser EVER
be capable of causing such chaos?
It's entirely possible to be user-friendly and easy-to-use, as browsers such as Mozilla, FireFox and Opera show. However, seeing serious and trivial-to-exploit vulnerabilites like this popping up so frequently makes me wonder what kind of programmers actually work for Microsoft.
I imagine the codebase for a complex feature-rich browser could get quite large and complicated, and modern browsers seem to have everything built in but the kitchen sink (in Microsoft's case, an entire OS is embedded into IE...
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
I'm sorry... javascript is a requirement on the modern web. If you are afraid to leave it on, you might want to look into switching browsers. Next you'll tell us cookies are "tracking you" and you should turn that off as well.
In that case it would be up to the network administrator to put secure software on the users machines. Why would they want to take such a risk by running Internet Explorer?
Things you think are in the Constitution, but are not.
Unfortuneately, some businesses restrict what software the employees can install on their computer.
;-)
:-)
I understand where you are coming from. I had to fight for my netscape/mozille installation while working for a military installation as a contractor. The attitude of "One Military One Operating System" still rings through those halls. Pretty stupid attitude IMO. I would respond "One Military One Missle System". Needless to say, they didn't laugh
Basically whenever a new worm or virus came out they were VERY busy. I was responsible for the Solaris and Linux servers and was quite amused. Occasionally I pointed out how calm my life was compared to their frantic patching sessions. Sure I had patching that was needed now and then. Certainly was nothing like their experiences
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
A web browser should NOT be tied into the OS core as IE is with Windows. A tiny speed gain (or any other reasons for that matter) is not worth all these security issues.
You know when you buy new italian salid dressing, and the oil and the spices are all separated in different layers? That is what good software architecture is supposed to look like.
Now, shake up the bottle. That is what Microsoft software looks like.
This isn't the only occurance of such an exploit. Windows machines can also be easily owned by a single click on Dell.com. I believe it is the "Buy it now" button.
AC comments get piped to
Another IE security problem, are you suprised by this? Lets make an insecure piece of software that intergrates into our operating system with portions of it running at Ring Zero. This allowing whatever malicious code/hacker to gain access to your system.
Now most people recommnd just switching to Linux. Yeah that works. But what about those hacked Windows PCs that happen to be remotely controlled? Some are sending SPAM others are used for DDoS attacks and others just scan all the IP space they can get ahold of.
It is a vicious cycle which has been growing more pronounced over the past 4 years. The only real solution to this problem is to inform people. Don't just tell people to use something else.
Explain the advantages of using a different program. In this case explain how Mozilla or Opera being seperate programs with different internal works and security systems are not going to be compromised as easily.
Push harder towards Open Media/Content
I've managed to get my parents and my girlfriend's parents to switch to Firefox. I have also got several non-computing friends to use it. I use it on my Mac, Windows PC and my Linux server, it's great and secure.
Most people, of course, have never heard of Firefox.
Why don't the "responsible" PC magazines who complain about all these security issues push Firefox? Are they worried about their advertising revenues? Maybe they just don't know any better.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
As always, are from the start design problems the ones exploited here, artificial solutions like separating internet in "zones" (local, trusted, etc) are just patches that don't resolve the core problem so it still have more holes that a swiss cheese.
But after reading the article, I tried the real installer URL, and, surprise, with Norton Antivirus (fully updated) the ad-bar WAS installed.
As said in the article, due to various layers of encoding the javascript, detection is avoided.
Ad-Aware luckely recognized all 34 (!!) regkeys, dll's etc.
We're talking MS here.
RC1 = Alpha
Release = Beta
Release + many patches later = Release
IE never gives me problems because I'm using it on a Mac (OS9). In 10 years I've never been touched by an exploit, worm or virus. Windows users will be patching and updating through the next 3 generations of hardware, as they have been since 486 days. Please, this isn't flamebait. I prefer IE over Opera, Mozilla (Netscape), and everything else. (Although Wannabe is a great text-only browser--lean and fast.) The problem is definitely in the OS. And to the usual astroturf reply, "just wait til exploit writers target Macs," it's not going to happen for the lifetime of the Mac I'm on, during which I will have peace of mind. How many more exploits will we read about on Slashdot in that timeframe? Guesses?
This kind of thing has become a serious problem. And no, up-to-date antivirus software and Windows' builtin firewall are not the answer.
The problem with this one is that, by the time client's antivirus software is up to date for the latest viruses, worms, and exploits, the damage is already done. I have had Windows boxes on which the antiviruses were updated twice daily - just to find that by the time I had received the update, the malicious software had already been on the machine. God knows for how long.
On a Windows box at home, despite antivirus software, Windows' builtin firewall and a 3rd party firewall software, I once counted 12 (!) different infections within less than 24 hours.
Interestingly enough, it's gotten much better for me at home since I've been running my Windows box through a Linux gateway. Still, stuff slips through, but it's on the order of one a week or so. This has taught me one lesson:
If you have to run Windows on a machine connected to the net, for your own sake and the sake of others you're prone to infect, run a reliable hardware router with a reliable firewall, or take an old computer and run a linux gateway/router. You wouldn't believe how much trouble you'll spare yourself.
Idealism must mesh with reality at some point. I use Firefox, love it, and will probably never go back.
..
However, there are still websites that only render correctly within Internet Explorer. The Dell website is a great example--within some of their "Premier" stores, they have a series of nested menus that are built around ActiveX controls. Thus, they only work with Internet Explorer. Try it with another browser, and duh, um, um, um, I'm clicking, I'm clicking, but nothing is happening.
Yeah, I have actually written to Dell about this instead of just accepting it, and though I received an initial response back, I did not receive back a response when I requested they use a vendor-neutral technology like Javascript instead. Unfortunately, they would rather write a website that works for 95% of the population.
As an end user, there is pretty much nothing I can do about this. Yes, I did my part by writing them, but unless a significant portion of their customer base does the same thing, they will not change.
Dutch researcher Jelmer [...] embarked on a detailed analysis of the link, which demonstrates an extremely sophisticated use of encrypted code.
Hmm... I hardly consider using the (unfortunatly) existing Script encoding feature in IE to be 'sophisticated'. Besides, for those who are not DMCA-encumbered, here is a program to Decode the Javascript contained in the "JScript.Encode" areas. (The author of the script has an interesting and informative article on what a piece of crap the JScript.Encode function is, and can be found here)
What a load of rubbish. You're right about Active Scripting, but there's nothing wrong with Javascript, and sensible use of Javascript makes the whole web more responsive.
For example, when you fill in a form, local Javascript should validate the entries whenever possible. This gives much quicker feedback to the user because it avoids a round-trip to the server (and it reduces the load on the server as well). We need more sites doing this, not fewer.
(Of course, all validation has to be repeated on the server, but "pre"-validation is still a huge time-saver, bandwidth-saver, and server-load-saver).