IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

FYI

[arieswind]

This configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems improves system resiliency to protect against the Download.Ject attack.

In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers.

Please note that this isnt a fix, it is only a configuration change to help defend against the problem and nullify the threat from the known places it is spreading from. No doubt that within a short time, whoever is behind the virus will find other places to have the virus attack from. This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

Re:FYI

Nope:

Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)
Adodb.stream provides a method for reading and writing files on a hard drive.

Quick Info
File Name:
Windows-KB870669-x86-ENU.exe

Download Size:
104 KB

Date Published:
7/2/2004

Version:
870669

Overview
Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

It has nothing to do with known threats.

Re:FYI

[quadra23]

This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.

Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).

Re:FYI

[Tackhead]

> This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ).

Ah, once again, "Security Zones" rears its ugly head. Wasn't integrating the browser into the operating system a brilliant move?

Ah, once again, the assumption that users are using Web-based apps in a trusted environment such as the office LAN, rather than the Real World(tm), rears its ugly head. Services listening on 135? 137? 139? 445? 5000? But how will you share files, printers? Doesn't everyone want to share every file with every other user on their network segment? Doesn't everyone want to automatically sniff out and configure their machine to work with every network-attached peripheral?

Open Letter to Windows design team, in monosyllables so you get the fucking point, because you sure as fuck haven't over the past nine years

Code. Code belong on hard drive. Code tell a C.P.U. to do stuff. You get code, you save code, you tell box to run code! O.S. do what code say, so if you get owned, is your fault cuz you tell O.S. to run code! This just fine!

Web Pages. Made of H.T.M.L. You get by click link. to make words and pics on screen. You got H.T.M.L.? I.E. for turn the H.T.M.L. into pics on screen. I.E. good for show text. I.E. good for show click link. I.E. good for show boobs.

Heap Big Clue: I.E. MADE OF CODE. I.E. CODE RUN ON LOCAL MACHINE. THEREFORE ALL ZONE ARE LOCAL. You no grok? Here two by four. Hit self in head until you grok, dumb ass.

This isn't chocolate and peanut butter. Executables and Web Content are not two great tastes that taste great together. Just because you can do something, doesn't mean you should.

Security "zones" are one of the dumbest fucking ideas ever to come down the pipe.

Re:FYI

[dasmegabyte]

You're making claims that are untrue and short sighted. I call FUD.

First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done. If there is a change to an existing setting that can defray the effect of the vulnerability and give you more time to test, it would be remiss of you not to inform customers of it. Would you rather they ask customers to wait a few days until the patch is thoroughly QA'd?

Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would. The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will. And the VAST majority of IE fixes have had no ill effects whatsoever. On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.

I do agree that IE isn't the best browser ever, but this doesn't excuse you from putting blame where it doesn't belong. If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future. That's one cue from OSS they'd be smart to heed. All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it.

Re:FYI

[geekopus]

to release a patch to a commercial application...(you've) got to make sure you test it thoroughly because...unlike Open Source, the liability is on YOU if people can't get their work done

I agree with most of your post, but I haven't seen many manufacturers care a whit about liability. In fact, the EULA specifically absolves MS of any liability. Most OSS licenses do the same, of course, but you imply that MS can be held liable, which they cannot.

Re:FYI

[nate1138]

the liability is on YOU if people can't get their work done

Now I call FUD on you. MS's EULA clearly states that they aren't liable for ANYTHING that their software does or does not do. Face the facts, IE is broken by design, and the only realistic alternative is to switch to another browser.

Re:FYI

[Kent+Recal]

because unlike Open Source, the liability is on YOU if people can't get their work done.

Oh, really now?

So where do I have to send my bill on lost work hours due to MS exploits to get a refund?

Re:FYI

[o_kenway]

but I guarantee you that if Microsoft knowingly released an IE patch that fucked the whole internet, there would be lawsuits.

I thought they already had - three in fact - Internet Explorer, Outlook Express and IIS. They seem to be getting away with it so far :-)

Re:FYI

[Temporal]

Are you trying to suggest that web sites should not be allowed to contain scripts? Or that sandboxing code with different levels of trust is not a useful ability? Or what? Because either of those assertions is pretty dumb. Microsoft's problem is that their API's are a mess and security checks aren't always performed or performed correctly. There's too many places in the API where security checks need to be performed, so it's hard to test them all. If they had said from the start that any API component which wanted to access protected system components (the hard drive or whatever) had to go through some unified security module (rather than performing its own security checks then using OS-level API calls), it would have been a lot easier to prevent security problems. I'm guessing they weren't so organized, though. Point is, this is a case of bad implementation, not bad concept. It is certainly feasible to implement sandboxing (such as IE's "security zones") securely.

Re:FYI

Guy make joke. You too serious. Here two by four. Hit self until grok.

Ian

Re:FYI

[Temporal]

His post appeared to be a serious message presented in a joking fashion. The joke half was funny, sure, but the serious half didn't make any sense.

Re:FYI

[Tackhead]

> Are you trying to suggest that web sites should not be allowed to contain scripts? Or that sandboxing code with different levels of trust is not a useful ability?

Yes to the former. No to the latter -- but with the caveat that the thing that should be sandboxing code is the operating system, not the web browser.

A web browser is not an operating system. It has no business doing anything other than turning HTML into boobies.

> Microsoft's problem is that their API's are a mess and security checks aren't always performed or performed correctly.

Remote execution of untrusted code is bad. Tools that enable untrusted code to run in an unsandboxable environment are bad. Tools that enable untrusted code to run in an unsandboxable environment, but that assume the sandbox's integrity is intact, are unforgivable.

Given this -- and it's not like it was a big secret, even at Microsoft -- was it, or was it not, Really. Fucking. Stupid to base the operating system's patch delivery mechanism (windowsupdate.microsoft.com), all locally-stored online help (.chm), email client (outleak), web browser (IE), on a set of assumptions that its developers knew to be patently false at design time, let alone implementation time?

Answer: "We don't care how fucking stupid it is, we got scared into thinking Netscape might do the same sort of stupid thing on Solaris using Java applets on thin clients to talk to an Oracle database, which would have jeopardized our desktop monopoly. It's been six years since the market rejected that paradigm, but have no fear, we're still designing the same stupid into Longhorn."

Re:FYI

[Temporal]

Remote execution of untrusted code is bad.

Not if it's sandboxed.

Tools that enable untrusted code to run in an unsandboxable environment are bad.

What makes an environment "unsandboxable"? We're not talking C code here, where you can access any object in memory if you know where in might be likely to reside. We're talking about scripting languages where you can only access the functionality provided by the API.

No to the latter -- but with the caveat that the thing that should be sandboxing code is the operating system, not the web browser.

An implementation of a programming language or even an API for a pointer-safe programming language is a perfectly good place to do sandboxing. Are you against Java's sandboxing? That's not part of the OS, is it? And yet Java applets are supported by every major browser. Why is it only bad when Microsoft does it?

I'm no IE fan -- I actively encourage my friends to switch to Firefox -- but I believe that it can be very useful to mix code with data, and I know for a fact that it can be done securely. Microsoft just doesn't know how to do it right.

Re:FYI

"What makes an environment "unsandboxable"?"

follow along, because perhaps you're a clueless MS programmer and don't get it.

1) IE really is integrated into windows. Sure, delete that icon on the desktop, but the entire help system is based around IE, the email client is based around IE, in fact every feature of the GUI is based around IE. You can't swing a memory mapped file without hitting a couple of IE API's.

2) IE itself contains provisions called BHO's and ActiveX controls that let you add new functionality to IE.

3) Therefore if IE is part of the operating system, and IE can be significantly altered either in advertantly ("Hey buddy, click here to win 1 million dollars!") or through a buffer overflow or similar trick, then you've given untrusted code a relatively easy path to alter the core OS.

4) Lets go through this again, because you're slow.

5) IE is core to OS, IE can be easily corrupted by executables on the web, therefore, the core OS is subject to security breaches simply by a user browsing the web.

I don't know how to make this clearer. The things I've seen IE do to Windows XP in the past 4 weeks make my hair stand on end. A simple click by a friend, who tried to close a popup, missed by 1/4" and basically allowed an ActiveX control to run rampant, cost us an entire two days work.

* The virus protection saw the problem but wasn't fast enough to fix it
* Spybot S&D 1.3 with latest patches was *BLIND* to this infection
* SpySweeper was able to kill things off, but only after we disabled system restore because guess what, every new piece of malware hijacks system restore and the system continuously reinfects itself.

Lets step by and see what's happening.

By design, IE has set up the entire Windows OS so that one inadvertant click in a user process can completely corrupt the OS.

*AND ITS DONE ON PURPOSE*

Honest to god, if someone told me that MS was that stupid 10 years ago, I'd laugh. But I've seen it with my own eyes. IE is so awful that it should not be used. The US government now recommends you shouldn't use it.

I like Windows XP, but IE is fatally flawed and must be rewritten. But hey, its so integrated in the OS that guess what... you have to rewrite the OS.

Holy cow, open your eyes. Its BAD out there!

That reminds me...

[DaHat]

That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation! Sure, you could throw in an extra DRM patch here or there... but I don't care, I'm lazy!

Re:That reminds me...

[WoodstockJeff]

I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server. Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Re:That reminds me...

[blindbat]

I was helping a fellow (via phone) repair his Windows installation that had a couple of viruses (at least), blaster and another worm. He even has the auto download of updates running so he thought he would be safe.

Problem: he is a dial up user and is never connected long enough at home to keep his system current.

So Windows will have to hi-jack the internet connection in order to get the downloads or half-knowlegdable users like this guy will still be victims.

Re:That reminds me...

[afidel]

Wow, tell your IT guys to use psshutdown from systinternals with a 30 second shutdown flag. Works wonderfully for me and if the user can't be bothered to save in 30 seconds the document isn't that important.

Re:That reminds me...

[innocent_white_lamb]

if the user can't be bothered to save in 30 seconds the document isn't that important.

30 whole seconds, eh? What if I'm writing the document and took a moment to walk across the room to the bookcase or filing cabinet to consult a reference of some kind? Or someone just walked in and asked me a question. Or the phone rang. Or...

30 whole seconds?

One down, ??? to go

[rjune]

For the others, Microsoft has provided customers with prescriptive guidance to help mitigate those issues.

Um

You can have Automatic Update download and even install things on Windows XP.

Re:Um

[Zed2K]

You can make it completely automatic on 2000 also.

Re:Um

[sid+crimson]

I don't need the Euro conversion utility. I don't need windows media player 9.

Autoupdate only installs "critical" patches. WM9 and the Euro tool are not such updates.

-sid

Re:Um

[TheSHAD0W]

You can set Automatic Update to ask whether you want the updates installed or not. Right-click My Computer, Properties, Automatic Updates tab, check "Keep my computer up to date", and select "Notify me before downloading any updates". (Note that this is for XP; there's a similar setting for 2K. Not sure about 98/ME.)

Re:Um

[strictnein]

First post:
That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation!

Second post:
I use Windows Update religiously and do not have the auto update feature running

Are you an idiot? Seriously.

Got it, but..

[Dynamoo]

Got it, but in the meantime I switched to Mozilla Firefox and I honestly don't see any reason to go back to IE apart from a handful of aggressively IE-only sites.

Re:Got it, but..

[Lehk228]

troll? are you using .7?

Re:Got it, but..

[Anonym1ty]

aggressively IE-only sites

What? Like sites that do not function if they can't open a thousand windows? or can't force you to agree to download and install something without crashing the browser? (insert zillions of other annoying or dangerous exploits here)

If a site REQUIRES Internet Explorer perhaps you shouldn't go there. I mean now that the Department of Homeland Security is urging people not to use IE, Your bank better think real hard about requiring you to use it.

Re:Got it, but..

[jazzmans]

I've noticed, that if you have cookies blocked from doubleclick, the mozilla/firefox browser will sit on a web page for up to 2 minutes before loading. This is especially noticible on financial web sites, and news web sites. Doubleclick is causing this, not an error in the browser.

jaz

Re:Got it, but..

[Anonym1ty]

It's a university, isn't it? Why not ask them to have their computer students build another one?

Re:Got it, but..

[ccady]

Instead of disallowing DoubleClick cookies, edit your hosts file to change the address for the DoubleClick sites. These are the relevant ones that I've got in my hosts file--YMMV.

127.0.0.1 doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.au.doubleclick.net
127.0.0.1 ad.fr.doubleclick.net
127.0.0.1 ad.uk.doubleclick.net
127.0.0.1 ln.doubleclick.net

Re:Got it, but..

[nick0909]

Up there in EN-62 that might work, but CM-99 being in litigous CA we probably couldn't build our own system, as it wouldn't pass all the privacy and other stupid regulations and certifications. Being a university doesn't mean they do things smart, it is still run by the State, which currently is being driven by the Govonator.

Someone tried to make a database as a Sr. project that needed some sort of info from the official enrolled student database, I forget exactly what but it wasn't even anything specific, just the number of students enrolled in each college or major, but they wouldn't release it because of privacy concerns. I stopped trying to figure out why they do things and just accept it as a government agency and change will take 20 years. This portal that was bought by the state for every CSU in the system (29 campuses) I have heard is the worst portal system there is on the market. But hey, we got it cheap!

Get the fix early here.

[Saeed+al-Sahaf]

The press statement says that it'll hit Windows Update later today...

O get the fix early, HERE.

Obvious link missing

[nizo]

Fix can be downloaded here.

In Other News...

[Snagle]

The Department Of Homeland Security said it is safe to go back to using Internet Explorer as your main browser...for about 10 minutes, when the next exploit will be released.

Re:In Other News...

[chris_mahan]

I notice that MS releases a "fix" of some sort when DoHS says: use another browser.

Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on .NET?

I wonder.

Somebody probably lit the proverbial fire under their bums this morning.

(They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.

The Vulnerability

[lousyd]

the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

So, the vulnerability will hit Windows Update later today? How do they know? (Other than the fact that Microsoft is running security at the Windows Update site, of course.)

All right!!!

[k4_pacific]

That means all the sys-admins will have to work late on a Friday night making sure its installed.

Excellent timing.

Loaded terminology...

"Late last month"

vs.

"A week or so ago"

I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

What about ActiveX?

[jZnat]

They might've found one way to prevent the auto-download, but there are still plenty of ways to force a download using ActiveX. Even with that, there are still a few ways to run them too; methods that are still unknown to most assholes trying to get you to buy their pills that give you bigger penis-breasts-ego-wallet-spyware-car-wife-mom-WMDs .

Re:NOT an actual fix

[Lehk228]

when you set high security you cannot even use windows update, and putting windows update into trusted sites does not work right

late last month means

[Zed2K]

Late last month actually means June 25th. Which by my count was only 1 week ago. But it wouldn't be a bash microsoft topic without a little twisting and manipulation.

Why Ject?

Why is it called Ject? Is the virus writer or the AV firm some kind of closet Final Fantasy X fan? Seriously? Why Ject?

I think my brain just exploded.

[Ira+Sponsible]

This is completely incomprehensible. I'm using Mozilla Dangerphoenix, and ms let me get the download with no hassles at all. Of course it's not one of their usual updates, but I still find it hard to believe that they haven't broken the link for non-IE browsers like they do for the rest of their site. Unless the "Configuration Change" is really just an extension to "fix" my Mozilla Pornopony to behave just like IE. DAMN YOU MICROSOFT, WHEN CAN I TRUST YOU!!!

Coming soon...

[sleighb0y]

Download.Ject.A
Download.Ject.B
Download.Ject.C
Download.Ject.D..............

IE Features

[johnhennessy]

What use are IEs extra features if they have to be turned off by default.

ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.

Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.

I can hear the support conversations already -
"Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."

Does anyone else find this mildly insane ?

Re:I have a feeling

[Mishkin]

Well take a look here and see the blog of a windows developer. He really does get upset when people say that MS doesn't care about security.
I am sure you are all aware that windows is a fairly large OS that is designed to be easy to use for novices but allow Power Users to do their thing as well. I think it accomplishes that fairly well. They provide automatic updates to every computer now (if you are not too lazy to turn it on). I realize that this option is turned off by default but this is more because of the people (*cough* slashdotters *cough*) that say that MS will somehow steal all their secrets if you let them install updates automatically. I think MS does a good job updating system.


Also, if I see one more reply to an IE article with the line "Download the patch here" rated as "Funny", I will kill myself.

Microsoft released a fix a long time ago

[Sheepdot]

Ever wondered how IE exploits get a whole executable to your computer?

Wonder no more. 11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change. The problem that MS has isn't that they are incompetent, it's that they insist on leaving default features that are used by 1% of administrators like myself.

98% of spyware released since January 2004 can be avoided with the above registry fix. If you think that statistic is outrageous, I challenge you to find one piece of malware installed without using ADODB.Stream in one way, shape, or form. Be forewarned, I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

Re:Microsoft released a fix a long time ago

[egarland]

Isn't this exactly what he current fix is doing? I checked my registry after applying the fix and that key listed on that page seems to have been added.

Re:Microsoft released a fix a long time ago

[jesser]

11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change.

The registry change you point to only affects the ADODB.Stream object. While holes involving ADODB.Stream may have made up a large porportion of successful exploits by spyware (as you claim), there have been other arbitrary-code-execution vulnerabilities in Internet Explorer during the time period you mention.

I'm guessing that there have been several zone-jumping holes, and ADODB.Stream makes all zone-jumping holes into arbitrary-code-execution holes. Is that what you mean by "using ADODB.Stream in one way, shape, or form"?

I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

I find and fix Mozilla security holes as a hobby and I think you're making stuff up.

Yippee!

[callipygian-showsyst]

Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird) Microsoft did act pretty fast here. It was less than a week, wasn't it?

And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

Re:Yippee!

[Anonymous+Writer]

It was less than a week, wasn't it?

Nope

Re:Where is the notice?

[beezly]

There's a copy at http://www.kb.cert.org/vuls/id/323070. Right down at the bottom under "Use a different web browser".

Obligatory Monty Python quote

[harley_frog]

I think this quote best reflect the state of denial that Microsoft is currently in:

Black Knight: Have at you.
King Arthur: You are indeed brave, sir knight, but the fight is mine.
Black Knight: Oh, had enough eh?
King Arthur: Look, you stupid bastard. You've got no arms left.
Black Knight: Yes I have.
King Arthur: Look.
Black Knight: Just a flesh wound.

I'm already patched!

[SnarfQuest]

Microsoft e-mailed me the patch some time ago, like they do with all their other security updates. I install them all as they come in, and keep my system virus free!

Is this just coincidence?

[Anonymous+Writer]

It was only mentioned two posts before this that CERT advised people to stay away from IE, even though CERT released that advisory on June 10, and it was even reported on BBC on June 14. Now this story comes along mentioning the patch will be available later today? The CERT advisory could have been published on Slashdot nearly a month ago, but conveniently is published on the same day as the fix is released. Was it intentional to keep information about the CERT announcement off of Slashdot until the fix was released?

I Demand the Editors Change the Title...

[maggeth]

"Fixed" is a strong word, I suggest an alternate title for this article:

"Microsoft Kind of Does Something Vaguely Related to Download.Ject Exploit"

Re:48 Hours

[savagedome]

Stupid Mods. If you don't know what the poster is talking about, don't mod it. Just leave it and go to the next post.

He is referring to this Security Focus article

From the article,
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

I already posted link to this article here

Dear Microsoft,

[stienman]

Dear Microsoft,
I am writing concerning downloading the most recent Windows Updates. I am unable to obtain them as your site requires IE, and the government recently suggested that users cease use of IE.

Please help!

-Adam

Fix not available yet

[mabu]

Talk about damage control... they don't have the fix on their site at the time of this writing... so it's vaporware for now.

I know of at least two very large companies who have moved to Firefox in the wake of this latest episode. I suspect many people are finally fed up, which has prompted MS to announce patches before they're even available.

Considering a recent patch to fix a vulnerability broke the complaince of IE as it relates to embedded uids/pws in URLs, I wouldn't be surprised if this "fix" ends up crippling something else.

We should start collecting wagers on what new problems this upcoming "fix" introduces. Otherwise it would probably be online by now.

Re:NOT an actual fix

[Lieutenant_Dan]

Nope, XP and 2003 have windowsupdate.microsoft.com as a trusted site. Unless you remove it manually, no setting will affect that.

Mind you, that still leaves the door open for someone clever to put an entry in the HOSTS file and do some nifty DNS man-in-the-middle trick, sending the unaware user somewhere else and trusting that "fake" windowsupdate.microsoft.com .

Which is nice.

Re:I have a feeling

[imroy]

It's worse than that. MS only appears to care about big customers, typically large corporations, institutes, and government departments. i.e places that are behind a firewall and have (nominally) competent IT staff to keep the network running smoothly. Just look at the number of TCP/UDP ports they keep open. That sort of behaviour is ok on a safe intranet, but it's sheer negligence for home users connected directly to the internet. I'm constantly seeing incoming requests to the "windows networking" ports (137, 135, 445) on my ADSL connection. Those ports just should not be open to the wider internet. And lastly, witness the number of error dialog boxes in windows that simply advise the user to seek help from "the network administrator".

It's the big customers that MS cares about, not the home users. And we're all worse off when the latest round of worms clog up the internet.

HERE Re:Where is the notice?

[holy_smoke]

http://www.kb.cert.org/vuls/id/713878

"Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)."

Re:not a troll

[jesser]

The slashdot rendering bug (bug 217527) can happen even without AdBlock. It's fixed on the trunk, so if you switch from 0.9 or 0.9.1 to a trunk nightly, you won't see the problem any more.

Re:Where is the notice?

[jufineath]

http://www.kb.cert.org/vuls/id/323070

the very last suggested solution states:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.

i'm no web journalist, but i'd hardly call that a recommendation or urging to use a browser other than ie.

Re:If parent is true, please mod up!

[Sheepdot]

No offense taken.

I'm not exactly the most trustworthy person anyway, I've been compromising computers for the last 5 years.

Attack and solution known since Aug. 2003

[weld]

See Full Disclosure list for an attack that used same technique back in Aug. 2003:

FullDisclosure: ADODB.Stream object

Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.

-weld

IE Patches no worse than viruses?

[MooseByte]

"Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would."

Hmmm. Well THERE's a ringing endorsement....

IE Download.Ject Exploit *not* fixed

[yeremein]

... this update is actually just a configuration change that disables the ADODB.Stream object from within Internet Explorer.

The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combined with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could execute script from the Local Machine zone.

No security vulnerabilities have actually been fixed here; all that's happened is that some functionality (which exacerbated existing security holes and was probably a bad idea to begin with) has been disabled.

Security and MS "Getting it"

[geomon]

Okay, everyone has had a great deal of fun at Microsoft's expense today with the stories of Dept of Homeland Security dumping IE, and Microsoft taking nearly a month to fix a BIG exploit in IE. But I wonder if Microsoft's problems are less a function of them 'getting it' as much as it is a case of them being a 'victim of their own success'. Follow along with me for a minute.

When MS started its rise to the top, they hired as many of the brightest minds as they could to make their software the best of class. While many of us probably find the corner-cutting a bit too much to take, it is possible to have both world-class software while meeting a marketing deadline. It happens, but less frequently than MS or its defenders/supporters would like to think it does (lightning striking the same point twice *without* a lightning rod).

They continued to compete heavily in the OS market despite the fact that they initially wanted to be nothing more than a computer language business. The OS was to be the cash cow that would allow them to be a more effective language business. But now they own the OS business and are driving their business model into other ventures (consoles, entertainment centers, telephones, automotive brainboxes, etc). They just follow the same formula that lead to their smashing success in moving into the OS and office app market: buy the best brains in the field and use their project management skills and VOILA!, they are the new masters of the [insert market segment].

But consider the sandbox their bright minds play in: a homogeneous computing environment with computer scientists guarding the facility from outside intrusion. As has been noted in another slashdot article, Microsoft's products work wonderfully inside of Microsoft's campus.

They have extremely talented people working with the highest-end equipment in an environment where everything works nearly 100% of the time. Is it so surprising that they do not view the world the way we do?

After all, most of the companies that I have worked for are staffed with (largely) computer-illiterate people and whose firewall is maintained by a PFY with a high-school diploma.

Perhaps it would be better for Microsoft if they force their developers to create their products in environments that their customers use. In fact, maybe they should send their developers to test their products in the heterogeneous environments of their customers for a month or two.

Let them work the bugs out on their time for a change.

Windows 9x and Windows ME users still vulnerable?

[prandal]

According to SecuritiyFocus. Windows 95, 98 and ME users are also vulnerable. So why is this patch only for Windows NT, 2000, XP, and 2003?

It does NOT run on Windows 98.

Oh, I remember, Microsoft only produces patches for "supported" (if that's what you can call it) products.

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

Chuck this into a .reg file and import.. The bit in square brackets is one line only - substitute a space for any linebreaks...

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA 4}]
"Compatibility Flags"=dword:00000400

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

That isn't the point, surely? It would have been so easy to produce an executable which would have worked on 9x/ME too to set the registry key, and make it available to everybody via WindowsUpdate.

At the risk of repeating myself, Microsoft STILL hasn't got it.

Re:not a troll

[bheerssen]

Look, Firefox IS NOT READY for prime time. That's why it has a sub 1.0 version number, and why it is considered a 'technology preview'. In this context, some serious bugs are to be expected. Have some patience. The bug has been fixed in develepment and will make it into the normal builds in due time.

If you want to complain, complain about Seamonkey. It suffers from the same bug, yet is at version 1.7.

Oh, and btw, [Ctrl +] (optionally, followed quickly by [Ctrl -]) will cause the page to re-render and display correctly. It's an easy work around until the fix makes it into the official builds.

Re:not a troll

[ssstraub]

Except IE isn't ready for prime time either, and it's at 6.0.