Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Download.Ject Exploit Fixed

Posted by simoniker on from the round-and-round dept.

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

16 of 421 comments (clear)

  1. That reminds me... by DaHat · · Score: 5, Funny

    That assumes I remember to run Windows Update... Why do I have to do it myself Microsoft! I want automatic and forceful patch downloading and installation! Sure, you could throw in an extra DRM patch here or there... but I don't care, I'm lazy!

    --
    Help Brendan pay off his student loans
  2. Re:FYI by Anonymous Coward · · Score: 5, Informative

    Nope:

    Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer (KB870669)
    Adodb.stream provides a method for reading and writing files on a hard drive.

    Quick Info
    File Name:
    Windows-KB870669-x86-ENU.exe

    Download Size:
    104 KB

    Date Published:
    7/2/2004

    Version:
    870669

    Overview
    Adodb.stream provides a method for reading and writing files on a hard drive. This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ). This occurs because the ADODB.Stream object allows access to the hard drive when hosted within Internet Explorer.

    It has nothing to do with known threats.

  3. In Other News... by Snagle · · Score: 5, Funny

    The Department Of Homeland Security said it is safe to go back to using Internet Explorer as your main browser...for about 10 minutes, when the next exploit will be released.

  4. The Vulnerability by lousyd · · Score: 5, Funny
    the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

    So, the vulnerability will hit Windows Update later today? How do they know? (Other than the fact that Microsoft is running security at the Windows Update site, of course.)

    --
    If aspiration is a virtue, achievement cannot be a vice.
  5. All right!!! by k4_pacific · · Score: 5, Funny

    That means all the sys-admins will have to work late on a Friday night making sure its installed.

    Excellent timing.

    --
    Unknown host pong.
  6. Re:FYI by quadra23 · · Score: 5, Insightful
    This is just another "this will help for now, please wait for the real fix" incident from Microsoft.

    I think I lost count at about 1000 when it comes to these "this will help for now..." When it comes to IE most fixes end up as patches that can actually break more than they fix. I think the Dept. of Homeland's Security recommendation of not using IE speaks loud and clear to this.

    Microsoft could start but not allowing web sites to automatically run malicious code, just as Outlook has the same tendency with emails (which incidently, most email viruses spread rapidly with).
  7. Loaded terminology... by Anonymous Coward · · Score: 5, Insightful

    "Late last month"

    vs.

    "A week or so ago"

    I know Microsoft is not one for timely updates, but this wording makes it sound like Microsoft has been sitting on this particular problem a lot longer than they have.

  8. Coming soon... by sleighb0y · · Score: 5, Funny

    Download.Ject.A
    Download.Ject.B
    Download.Ject.C
    Download.Ject.D..............

  9. IE Features by johnhennessy · · Score: 5, Insightful

    What use are IEs extra features if they have to be turned off by default.

    ActiveX should never have been embedded into a browser in the way it has been. Yet most of the sites that I have to use IE for is because of ActiveX controls.

    Microsoft tricked a lot of the world into using ActiveX and now they're paying the price.

    I can hear the support conversations already -
    "Yes, if your security zone is set to high your computer won't be vulnerable. But if you want to view anything with ActiveX (read: multimedia) you'll have to turn these vulnerabilities back on."

    Does anyone else find this mildly insane ?

    --
    [ Monday is a terrible way to spend one seventh of your life. ]
  10. Microsoft released a fix a long time ago by Sheepdot · · Score: 5, Informative
    Ever wondered how IE exploits get a whole executable to your computer?

    Wonder no more. 11 months of IE exploits and at least a year or two's worth of future exploits can be avoided with one simple registry change. The problem that MS has isn't that they are incompetent, it's that they insist on leaving default features that are used by 1% of administrators like myself.

    98% of spyware released since January 2004 can be avoided with the above registry fix. If you think that statistic is outrageous, I challenge you to find one piece of malware installed without using ADODB.Stream in one way, shape, or form. Be forewarned, I make and research IE exploits for a living and wouldn't make this kind of a claim without having the data to back it up.

  11. Yippee! by callipygian-showsyst · · Score: 5, Interesting
    Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird) Microsoft did act pretty fast here. It was less than a week, wasn't it?

    And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

    --
    Best Buy can have you arrested
  12. Re:FYI by Tackhead · · Score: 5, Funny
    > This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an internet web site to execute script from the Local Machine Zone (LMZ).

    Ah, once again, "Security Zones" rears its ugly head. Wasn't integrating the browser into the operating system a brilliant move?

    Ah, once again, the assumption that users are using Web-based apps in a trusted environment such as the office LAN, rather than the Real World(tm), rears its ugly head. Services listening on 135? 137? 139? 445? 5000? But how will you share files, printers? Doesn't everyone want to share every file with every other user on their network segment? Doesn't everyone want to automatically sniff out and configure their machine to work with every network-attached peripheral?

    Open Letter to Windows design team, in monosyllables so you get the fucking point, because you sure as fuck haven't over the past nine years

    Code. Code belong on hard drive. Code tell a C.P.U. to do stuff. You get code, you save code, you tell box to run code! O.S. do what code say, so if you get owned, is your fault cuz you tell O.S. to run code! This just fine!

    Web Pages. Made of H.T.M.L. You get by click link. to make words and pics on screen. You got H.T.M.L.? I.E. for turn the H.T.M.L. into pics on screen. I.E. good for show text. I.E. good for show click link. I.E. good for show boobs.

    Heap Big Clue: I.E. MADE OF CODE. I.E. CODE RUN ON LOCAL MACHINE. THEREFORE ALL ZONE ARE LOCAL. You no grok? Here two by four. Hit self in head until you grok, dumb ass.

    This isn't chocolate and peanut butter. Executables and Web Content are not two great tastes that taste great together. Just because you can do something, doesn't mean you should.

    Security "zones" are one of the dumbest fucking ideas ever to come down the pipe.

  13. I'm already patched! by SnarfQuest · · Score: 5, Funny

    Microsoft e-mailed me the patch some time ago, like they do with all their other security updates. I install them all as they come in, and keep my system virus free!

    --
    Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
  14. Dear Microsoft, by stienman · · Score: 5, Funny

    Dear Microsoft,
    I am writing concerning downloading the most recent Windows Updates. I am unable to obtain them as your site requires IE, and the government recently suggested that users cease use of IE.

    Please help!

     -Adam

  15. Attack and solution known since Aug. 2003 by weld · · Score: 5, Interesting
    See Full Disclosure list for an attack that used same technique back in Aug. 2003:

    FullDisclosure: ADODB.Stream object

    Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.


    -weld

  16. IE Patches no worse than viruses? by MooseByte · · Score: 5, Funny

    "Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would."

    Hmmm. Well THERE's a ringing endorsement....