Slashdot Mirror

← Back to Stories (view on slashdot.org)

4 New "Extremely Critical" IE Vulnerabilities

Posted by CmdrTaco on from the are-you-ready-for-fun-and-excitement dept.

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."

36 of 1,081 comments (clear)

  1. Re:Black Tuesday? wth? by cuzality · · Score: 5, Informative

    First hit on Google:

    http://mutualfunds.about.com/cs/1929marketcrash/a/ black_tuesday.htm

    "Black Tuesday is notorious for being the worst day in the U.S. stock market"...

    You didn't even try, did you?

  2. Interesting... by NEOtaku17 · · Score: 2, Informative

    "Solution: Disable Active Scripting. Use another product."

    --
    Creative Demolition
    1. Re:Interesting... by Bedouin+X · · Score: 2, Informative

      Use the autoupdate feature. Patches (generally) only come out once a month.

      --
      Dissolve... Resolve... Evolve...
    2. Re:Interesting... by jmkaza · · Score: 2, Informative

      You can set your IE security level to high, disabling active scripting, then add windowsupdate to your trusted sites list, which will allow it to work.
      It's sad that the only thing I use IE for is to download security updates for IE.

  3. Re:Black Tuesday? wth? by Thrakkerzog · · Score: 4, Informative

    The day the stock market crashed in 1929, beginning the great depression.

  4. Re:Obligatory FireFox Boosterism by diagnosis · · Score: 2, Informative

    Link:
    Are the Browser Wars Back?

  5. Re:At what point... by Short+Circuit · · Score: 4, Informative

    AOL has, in the past, been both Netscape and Internet Explorer based. Not sure which one it is currently, though.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  6. Re:Hmmm.... by The+Angry+Mick · · Score: 2, Informative

    Mute? Dontcha mean "moot"?

    --

    I'm not tense. I'm just terribly, terribly, alert.

  7. Re:IE SP2 RC2 is not vulnerable by mopslik · · Score: 4, Informative

    Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.

    *ahem*

    An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).

  8. Re:Black Tuesday? wth? by octaene · · Score: 3, Informative

    It refers to the Microsoft policy of releasing security vulnerabilities on the second Tuesday of each month instead of the time they become available.

  9. W3schools isn't indicative of the entire web by friedegg · · Score: 5, Informative

    It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.

    If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.

    --
    Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
  10. Re:At what point... by mirko · · Score: 5, Informative

    It's an MSIE5/6 which also support shell: URLs :)

    --
    Trolling using another account since 2005.
  11. Re:Hmmm.... by Bob+McCown · · Score: 2, Informative
    for all intensive purposes

    how about "for all intents and purposes" instead, Chuck?

    (double checks his post for mistakes)

  12. Re:Solution: by JimDabell · · Score: 5, Informative

    Put the Windows Update site into the "local sites" zone or whatever Internet Explorer calls it. Set the "local sites" security to the same as the Internet zone, and then switch Active Scripting off in the Internet zone.

    This effectively emulates the domain-specific Javascript settings in other browsers.

  13. Re:Solution: by Curien · · Score: 2, Informative

    Disable Active Scripting in the Internet Zone; put WindowsUpdate.com in the Trusted Zone.

    --
    It's always a long day... 86400 doesn't fit into a short.
  14. Re:Obligatory FireFox Boosterism by Rich · · Score: 3, Informative

    And anyone who has better get them to update again: firefox/mozilla holes and no, this isn't the shell: bug from last week.

  15. IE bugs and phishing by phatwuss · · Score: 4, Informative

    The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now. Initial reports of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.

    Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.

    I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...

    --
    web design experiments
    1. Re:IE bugs and phishing by phatwuss · · Score: 2, Informative

      Here's more on that. This article outlines how the vulnerability can be used to spoof the entire screen, this making everything suspect.

      They've even got a sample exploit for you IE users. An ActiveX dialog pops up and is made to appear innocuous through the exploit (drag the dialog box and you'll see). This one is harmless, but it gives you an idea of the danger.

      --
      web design experiments
  16. Re:Alternative Browser Security Question... by thelexx · · Score: 4, Informative

    Marketshare is largely irrelevant. See Apache vs IIS.

    --
    "Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
  17. Re:surprise by KarmaMB84 · · Score: 2, Informative

    Fixes for other others apps or fixes for potential problems? That wasn't hard.

  18. Re:Is it just me? by Sephiro444 · · Score: 2, Informative

    Actually, in Japanese is means "NO!" in a rather abrupt and impolite fashion.

  19. All OSes are not the same by Infonaut · · Score: 2, Informative
    it is an unfair (and in my opinion, too common) comparison to make to say that non-MS is MORE secure than MS, just because we hear about more exploiting of MS software

    That's exactly the argument that Microsoft apologists have been using for years. But just because Microsoft products are more pervasive does not mean that they are just as secure as Linux, OS X, et. al..

    In point of fact operating systems are not all the same. Some sacrifice security for flexibility or features (ex: Windows). Some eschew clever new features and integration in favor of security (ex: OpenBSD).

    Microsoft's development methodology for years was built around increasing the featureset of the Windows OS and Office suite. Marketing drove development of the OS, and development priorities were established accordingly.

    Are Yugos as safe as Volvos? Do MiG-29s carry as many passengers as 757s? Software is designed, and in any design process you have to make trade-offs. Microsoft has repeatedly shown us what their design priorities are, and the fact that Microsoft products are ubiquitous doesn't mean that some competing OSes are not inherently easier to secure.

    --
    Read the EFF's Fair Use FAQ
  20. Re:Does this affect the mac version as well? by sjonke · · Score: 2, Informative

    It does not affect the Mac version. In any case you might consider trying Firefox when you find a site that doesn't work in Safari (or whatever browser you are using primarily). Often it will work fine in Firefox. I prefer Safari, but if a site doesn't work in it, it doesn't work in it and that's when I try Firefox. I haven't had to use IE for Mac in a long, long time.

    --
    --- What?
  21. Re:Obligatory FireFox Boosterism by mlefevre · · Score: 4, Informative

    But is it actually an exploit?

    He starts off by saying the cache folder is known - actually the folder name has random characters (last 3 in Firefox, first 8 in Mozilla), so that's not true - you have at best a 1 in 17000 of guessing it.

    Then he talks about the user opening file:// URLs - what would cause the user to do that? If you have to tell the user "please type this URL into your address bar", that's not much of an exploit. Links to file:// URLs from http:// URLs don't work.

    And as someone else pointed out, the script running in a page from a file:// URL has pretty much the same permissions as a script running in a remote page anyway - there is no "local zone" concept in Mozilla/Firefox.

    Certainly sounds like there may be a bug or two described there, but I don't see an exploit.

  22. So I hate to have to do this. Really. by GMFTatsujin · · Score: 4, Informative

    There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.

    There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.

    No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.

    We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.

    Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.

    Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).

    Thanks,
    The Internet

  23. Re:An Aura of Joy by onkelonkel · · Score: 2, Informative

    "Schadenfreude"

    The word you are looking for does not exist in English, but in German they say Schadenfreude. It is a sort of malicious glee at the misfortunes of others. It can also contain an element of "I told you so".

    --
    None of them can see the clouds; The polished wings don't care.
  24. Here's something that bites... by taradfong · · Score: 3, Informative

    Ok, after messing with the probably intentionally vague security settings, I have discovered that it is impossible to disable Active Scripting and yet leave JavaScript enabled. Same deal with ActiveX and Plugins (Flash being one of them).

    Since most sites use at least some amount of Javascript and Flash (e.g. gmail), you're left with these choices...

    * Turn off all scripting
    * Take your chances with Microsoft's flaws
    * Deal with the annoying 'prompt' for just about every page
    * Manually configure the pages you want as trusted sites

    Boy, I wish there was a selection that said...

    "Disable all Microsoft(R) Web Technologies"

    ...but I guess that's a bit too much to ask for.

    --
    Does it hurt to hear them lying? Was this the only world you had?
  25. Re:No Surprise by SheepHead · · Score: 3, Informative
    I don't know if these things are exactly what you mean, but I read some things along this line before and did some searching to find them again.

    There's the Mozilla ActiveX Control which sounded like the thing to run ActiveX in Mozilla, but it's really a thing to control Mozilla with ActiveX.

    And there's this IEPatcher thing which seems to already be able to patch an IE-using program to use Mozilla. Proceed at your own risk, of course.

    I agree that an official Mozilla open source drop-in DLL would be nice, but I just wanted to point out that it looks like some people are working towards what you suggest.

    --
    7d9e63e9501751ff4bf9307989d5623d *SheepHead
  26. Re:IE is NOT a web browser by Dimensio · · Score: 2, Informative

    1. Standard apps (such as palm hotsynch) and many games don't work properly as non-root

    For games that "require" Administrator access, I just use a no-CD crack. The only reason that games ever require Administrator-level privledges is for incredibly poorly-designed CD-checking systems (and as there are CD-checking systems that don't require Administrative access, like that used with Unreal Tournament 2004, there is absolutely no excuse for it anymore).

    I don't know about Palm sync, but my boyfriend uses a Palm and he's something of a Windows 2000/XP security nut. I'll ask him, because he's very big on not running as Administrator unless absolutely necessary.

    2. I don't want to have switch user each time I need to do an administrator-level activity -- particlulary since brain-dead windoze takes a minute or more to do this even on a fast machine.

    Solution: right-click on icon, choose "Run As". If "Run As" does not appear, hold "Shift" and right-click, and it should appear. I run Windows Update while logged in via my standard user account (Power Users group) through this method.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  27. The Palm hotsync solution by Dimensio · · Score: 5, Informative

    I just called my boyfriend and asked.

    The solution for Palm hotsync:

    Give the user Administrative-level access.

    Install the Palm software.

    Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).

    Remove the user from the Administrators group.

    Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  28. Re:"Trusted Computing" by Frizzle+Fry · · Score: 3, Informative

    In SP2, by default, the local machine zone actually has even less security priviledges than the internet zone. So injecting script into from the internet wouldn't create any elevation of priviledge. So in this case, yes, SP2 would keep you "super-safe" (as long as you didn't muck with the settings to turn the local machine zone back into a super-priviledged zone like it was in the past).

    --
    I'd rather be lucky than good.
  29. Re:"Trusted Sites"... by gregarican · · Score: 2, Informative

    By any chance do you have a newer Dell? I know newer ones came bundled with AOL software already installed on them with this URL in the Trusted Sites list.

  30. Re:Built one of these, have you? by Cromac · · Score: 4, Informative

    3 or 4 years ago when I worked on the IE team there were nearly 400 people total on the team. That included devs, testers and program managers and various other levels of management. I don't remember how many where actually developers but 100+ wouldn't surprise me.

  31. Fasten seatbelts? by Lispy · · Score: 2, Informative

    I'd rather say "Grab your popcorn!" ;-)
    Honestly, anyone who is still using IE on Windows can't be in his/her right mind.

  32. Re:IE is NOT a web browser by lamename · · Score: 2, Informative

    Sorry, but he said eVC++ 4.0. This is eMbedded Visual C++ 4.0 for Pocket PC/Windows Mobile development and it is the latest version for that platform.

  33. Re:Give IE some credit... by CodeBuster · · Score: 2, Informative

    A "trusted source" would have an X509 Code Signing Certificate signed with the private key of a known third party verification service such as VeriSign or Thawte. Thus, the author of the ActiveX control is verified by public key cryptography. Now, whether or not you want to trust OptInRealBig LLC of Buffalo, New York is up to you, but at least you would know that ActiveX control comes from OptInRealBig LLC of Buffalo, New York. code signing authorities, such as VeriSign and Thawte, will not issue a code signing certificate without legal proof of identity. In the example case they would verify that the corporation exists by checking with the state's records and that the person making the request is a registered officer of the corporation in question. The company that I work for had to get one recently and we had to pay a fee of several hundred dollars and jump through many hoops to get it (obviously designed to discourage the average miscreant). I hope that this answers your question.