Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
First hit on Google:
/ black_tuesday.htm
http://mutualfunds.about.com/cs/1929marketcrash/a
"Black Tuesday is notorious for being the worst day in the U.S. stock market"...
You didn't even try, did you?
"Solution: Disable Active Scripting. Use another product."
Creative Demolition
The day the stock market crashed in 1929, beginning the great depression.
Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.
Link:
Are the Browser Wars Back?
AOL has, in the past, been both Netscape and Internet Explorer based. Not sure which one it is currently, though.
tasks(723) drafts(105) languages(484) examples(29106)
Mute? Dontcha mean "moot"?
I'm not tense. I'm just terribly, terribly, alert.
It refers to the Microsoft policy of releasing security vulnerabilities on the second Tuesday of each month instead of the time they become available.
It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.
If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.
Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
It's an MSIE5/6 which also support shell: URLs :)
Trolling using another account since 2005.
how about "for all intents and purposes" instead, Chuck?
(double checks his post for mistakes)
Put the Windows Update site into the "local sites" zone or whatever Internet Explorer calls it. Set the "local sites" security to the same as the Internet zone, and then switch Active Scripting off in the Internet zone.
This effectively emulates the domain-specific Javascript settings in other browsers.
Disable Active Scripting in the Internet Zone; put WindowsUpdate.com in the Trusted Zone.
It's always a long day... 86400 doesn't fit into a short.
And anyone who has better get them to update again: firefox/mozilla holes and no, this isn't the shell: bug from last week.
The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now. Initial reports of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.
Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.
I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...
web design experiments
Marketshare is largely irrelevant. See Apache vs IIS.
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Interestingly enough, IE is telling me http://windowsupdate.microsoft.com and http://v4.windowsupdate.microsoft.com are invalid sites when I attempt to add them to the "Local Intranet" group. Very strange...
Fixes for other others apps or fixes for potential problems? That wasn't hard.
Actually, in Japanese is means "NO!" in a rather abrupt and impolite fashion.
Uncheck 'require https verification'.
That's exactly the argument that Microsoft apologists have been using for years. But just because Microsoft products are more pervasive does not mean that they are just as secure as Linux, OS X, et. al..
In point of fact operating systems are not all the same. Some sacrifice security for flexibility or features (ex: Windows). Some eschew clever new features and integration in favor of security (ex: OpenBSD).
Microsoft's development methodology for years was built around increasing the featureset of the Windows OS and Office suite. Marketing drove development of the OS, and development priorities were established accordingly.
Are Yugos as safe as Volvos? Do MiG-29s carry as many passengers as 757s? Software is designed, and in any design process you have to make trade-offs. Microsoft has repeatedly shown us what their design priorities are, and the fact that Microsoft products are ubiquitous doesn't mean that some competing OSes are not inherently easier to secure.
Read the EFF's Fair Use FAQ
It does not affect the Mac version. In any case you might consider trying Firefox when you find a site that doesn't work in Safari (or whatever browser you are using primarily). Often it will work fine in Firefox. I prefer Safari, but if a site doesn't work in it, it doesn't work in it and that's when I try Firefox. I haven't had to use IE for Mac in a long, long time.
--- What?
But is it actually an exploit?
He starts off by saying the cache folder is known - actually the folder name has random characters (last 3 in Firefox, first 8 in Mozilla), so that's not true - you have at best a 1 in 17000 of guessing it.
Then he talks about the user opening file:// URLs - what would cause the user to do that? If you have to tell the user "please type this URL into your address bar", that's not much of an exploit. Links to file:// URLs from http:// URLs don't work.
And as someone else pointed out, the script running in a page from a file:// URL has pretty much the same permissions as a script running in a remote page anyway - there is no "local zone" concept in Mozilla/Firefox.
Certainly sounds like there may be a bug or two described there, but I don't see an exploit.
Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.
...in no sense, is stability a reason to move to a new version. It's never a reason.
Microsoft is the largest user of H1B's in the US. They also structure their company around independent contractors who are only allowed to work enough each year to make sure they are ineligible for benefits. Makes for a truly motivated and competent work force, wouldn't you say?
At the same time, you must have noticed that many, many of the discovered IE vulnerabilties were associated with integrating the browser into the OS. This was based on political, not technical reasons, and then rushed through in such a hurry that it was poorly implemented and thought about not at all.
And then we have direct quotes from Bill Gates, the founder of Microsoft, that detail his concerns about software quality: There are no significant bugs in our released software that any significant number of users want fixed.
All of Microsoft's problems start at the top.
There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.
There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.
No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.
We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.
Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.
Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).
Thanks,
The Internet
"Schadenfreude"
The word you are looking for does not exist in English, but in German they say Schadenfreude. It is a sort of malicious glee at the misfortunes of others. It can also contain an element of "I told you so".
None of them can see the clouds; The polished wings don't care.
Ok, after messing with the probably intentionally vague security settings, I have discovered that it is impossible to disable Active Scripting and yet leave JavaScript enabled. Same deal with ActiveX and Plugins (Flash being one of them).
...but I guess that's a bit too much to ask for.
Since most sites use at least some amount of Javascript and Flash (e.g. gmail), you're left with these choices...
* Turn off all scripting
* Take your chances with Microsoft's flaws
* Deal with the annoying 'prompt' for just about every page
* Manually configure the pages you want as trusted sites
Boy, I wish there was a selection that said...
"Disable all Microsoft(R) Web Technologies"
Does it hurt to hear them lying? Was this the only world you had?
There's the Mozilla ActiveX Control which sounded like the thing to run ActiveX in Mozilla, but it's really a thing to control Mozilla with ActiveX.
And there's this IEPatcher thing which seems to already be able to patch an IE-using program to use Mozilla. Proceed at your own risk, of course.
I agree that an official Mozilla open source drop-in DLL would be nice, but I just wanted to point out that it looks like some people are working towards what you suggest.
7d9e63e9501751ff4bf9307989d5623d *SheepHead
1. Standard apps (such as palm hotsynch) and many games don't work properly as non-root
For games that "require" Administrator access, I just use a no-CD crack. The only reason that games ever require Administrator-level privledges is for incredibly poorly-designed CD-checking systems (and as there are CD-checking systems that don't require Administrative access, like that used with Unreal Tournament 2004, there is absolutely no excuse for it anymore).
I don't know about Palm sync, but my boyfriend uses a Palm and he's something of a Windows 2000/XP security nut. I'll ask him, because he's very big on not running as Administrator unless absolutely necessary.
2. I don't want to have switch user each time I need to do an administrator-level activity -- particlulary since brain-dead windoze takes a minute or more to do this even on a fast machine.
Solution: right-click on icon, choose "Run As". If "Run As" does not appear, hold "Shift" and right-click, and it should appear. I run Windows Update while logged in via my standard user account (Power Users group) through this method.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I just called my boyfriend and asked.
The solution for Palm hotsync:
Give the user Administrative-level access.
Install the Palm software.
Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).
Remove the user from the Administrators group.
Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
In SP2, by default, the local machine zone actually has even less security priviledges than the internet zone. So injecting script into from the internet wouldn't create any elevation of priviledge. So in this case, yes, SP2 would keep you "super-safe" (as long as you didn't muck with the settings to turn the local machine zone back into a super-priviledged zone like it was in the past).
I'd rather be lucky than good.
By any chance do you have a newer Dell? I know newer ones came bundled with AOL software already installed on them with this URL in the Trusted Sites list.
3 or 4 years ago when I worked on the IE team there were nearly 400 people total on the team. That included devs, testers and program managers and various other levels of management. I don't remember how many where actually developers but 100+ wouldn't surprise me.
I just tried "runas /u:Admin explorer". It promted me for a password, and then created a new explorer process running as the user Admin.....You could also start a command prompt and run explorer from there.
You have a user named Admin or did you mean the Administrator? Here's what happens when I run the exact same thing you put here (except as Administrator) from a cmd window:
C:\>runas /u:Administrator explorer
Enter password for Administrator:
Attempting to start "explorer" as user "Administrator"...
C:\>
NOTHING. Thats what happens. Not a damn thing appeared.
It worked from xpsp1 and 2ksp3.
This is win2k SP4.
runas is crap. Doesn't even compare to su, which works identically across the 4 different *nix OS's that I admin. Even if runas does work for you, it still doesn't work here. Which I found is typical in windows, such as vbs. The same damn code and scripts don't run the same way on different machines, even though they have the same exact versions of the OS and VBS/WSH
C Pungent
I'd rather say "Grab your popcorn!" ;-)
Honestly, anyone who is still using IE on Windows can't be in his/her right mind.
Sorry, but he said eVC++ 4.0. This is eMbedded Visual C++ 4.0 for Pocket PC/Windows Mobile development and it is the latest version for that platform.
From below address:d =10093
:)
:)
http://www.crackbaby.com/article.php?si
How to Remove Internet Explorer
Posted on Thursday, July 08 @ 08:40:23 PDT
Ok, this story is for you geeks out there that actually know what you are doing. It requires editing of your registry and should not be done by anyone who doesn't know what they are doing.
This will effectively neuter IE on your system and divert all shell calls to IE to your alternative browser. Read on for details...
The other day I brought alot of your attention to the an exploit being used with the SCOB exploit that causes hackers to be able to execute arbitrary code on your system. This is the exploit that caused every security agency including CERT and homeland security to say 'dump IE'. I called Microsoft tech support and called and called and no one knew how to disable Internet Explorer or would even help me to do it without badgering; even then, they couldn't figure out how to do it. This is why they get paid the big bucks. So I decided to see if I couldn't figure it out myself.
Since you cannot remove IE from the OS, you have to disable it in some way or make it so that it can't be accessed via shell (not going to happen). Well after some experimentation of my own and reading through the registry diligently, I have your answer:
1. If you do not have IE 6 installed on your machine, install it using Microsoft Update. Reboot
2. Go to add/remove programs in control panel. Remove IE. Reboot.
1. after reboot it will ask if you want to get rid of your settings. Just say yes or else it will ask indefinitely.
3. Backup your registry
4. Do a search through the registry for 'iexplore.exe' and 'url.dll'. Replacing HKEY_CLASSES_ROOT instances of these two with the path to your alternative browser seems to do the trick. I now have all my other Microsoft apps that would normally call IE, now calling Firefox.
For instance, I have Mozilla Firefox as my alternate browser so I replace with the following:
open/command -> C:PROGRA~1MOZILL~1FIREFOX.EXE -url "%1"
DefaultIcon -> C:PROGRA~1MOZILL~1FIREFOX.EXE,1
If you don't have a good registry editing tool, I suggest JV16 Power Tools. A very good program for editing and cleaning the registry as well as several other nice tools. Plus it has a 30 day trial period enabling you to use it for this task though I do suggest purchasing since it's a great tool
After this is all done, it works beautifully and I haven't had a single problem. This is not a simple solution but it is effective. You may want to experiment a bit more by searching through the registry for instances of Iexplore and tweaking HKEY_LOCAL_MACHINE as well but the above should take care of security concerns which is all we are worried about.
For those non-techies out there who don't feel up to this task, there is an easier way to avoid this problem... switch to Linux.
NOTE: I should also mention that because the system will always attempt to recreate IE, when it does using the default installed browser that is integrated into the system, do the following:
1. got to c:Program FilesInternet Exporer and right click on Iexplore.exe
2. Go to properties/security (make sure you are logged in as admin of the machine)
3. Remove ALL permissions!
This will effectively make it so that the system cannot call the program and in alot of instance, I have found that if it cannot open Iexplore.exe, it will ask you for an alternative browser to use.
A "trusted source" would have an X509 Code Signing Certificate signed with the private key of a known third party verification service such as VeriSign or Thawte. Thus, the author of the ActiveX control is verified by public key cryptography. Now, whether or not you want to trust OptInRealBig LLC of Buffalo, New York is up to you, but at least you would know that ActiveX control comes from OptInRealBig LLC of Buffalo, New York. code signing authorities, such as VeriSign and Thawte, will not issue a code signing certificate without legal proof of identity. In the example case they would verify that the corporation exists by checking with the state's records and that the person making the request is a registered officer of the corporation in question. The company that I work for had to get one recently and we had to pay a fee of several hundred dollars and jump through many hoops to get it (obviously designed to discourage the average miscreant). I hope that this answers your question.