Slashdot Mirror

← Back to Stories (view on slashdot.org)

4 New "Extremely Critical" IE Vulnerabilities

Posted by CmdrTaco on from the are-you-ready-for-fun-and-excitement dept.

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."

13 of 1,081 comments (clear)

  1. Re:Black Tuesday? wth? by cuzality · · Score: 5, Informative

    First hit on Google:

    http://mutualfunds.about.com/cs/1929marketcrash/a/ black_tuesday.htm

    "Black Tuesday is notorious for being the worst day in the U.S. stock market"...

    You didn't even try, did you?

  2. Re:Black Tuesday? wth? by Thrakkerzog · · Score: 4, Informative

    The day the stock market crashed in 1929, beginning the great depression.

  3. Re:At what point... by Short+Circuit · · Score: 4, Informative

    AOL has, in the past, been both Netscape and Internet Explorer based. Not sure which one it is currently, though.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  4. Re:IE SP2 RC2 is not vulnerable by mopslik · · Score: 4, Informative

    Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.

    *ahem*

    An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).

  5. W3schools isn't indicative of the entire web by friedegg · · Score: 5, Informative

    It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.

    If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.

    --
    Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
  6. Re:At what point... by mirko · · Score: 5, Informative

    It's an MSIE5/6 which also support shell: URLs :)

    --
    Trolling using another account since 2005.
  7. Re:Solution: by JimDabell · · Score: 5, Informative

    Put the Windows Update site into the "local sites" zone or whatever Internet Explorer calls it. Set the "local sites" security to the same as the Internet zone, and then switch Active Scripting off in the Internet zone.

    This effectively emulates the domain-specific Javascript settings in other browsers.

  8. IE bugs and phishing by phatwuss · · Score: 4, Informative

    The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now. Initial reports of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.

    Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.

    I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...

    --
    web design experiments
  9. Re:Alternative Browser Security Question... by thelexx · · Score: 4, Informative

    Marketshare is largely irrelevant. See Apache vs IIS.

    --
    "Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
  10. Re:Obligatory FireFox Boosterism by mlefevre · · Score: 4, Informative

    But is it actually an exploit?

    He starts off by saying the cache folder is known - actually the folder name has random characters (last 3 in Firefox, first 8 in Mozilla), so that's not true - you have at best a 1 in 17000 of guessing it.

    Then he talks about the user opening file:// URLs - what would cause the user to do that? If you have to tell the user "please type this URL into your address bar", that's not much of an exploit. Links to file:// URLs from http:// URLs don't work.

    And as someone else pointed out, the script running in a page from a file:// URL has pretty much the same permissions as a script running in a remote page anyway - there is no "local zone" concept in Mozilla/Firefox.

    Certainly sounds like there may be a bug or two described there, but I don't see an exploit.

  11. So I hate to have to do this. Really. by GMFTatsujin · · Score: 4, Informative

    There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.

    There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.

    No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.

    We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.

    Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.

    Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).

    Thanks,
    The Internet

  12. The Palm hotsync solution by Dimensio · · Score: 5, Informative

    I just called my boyfriend and asked.

    The solution for Palm hotsync:

    Give the user Administrative-level access.

    Install the Palm software.

    Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).

    Remove the user from the Administrators group.

    Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  13. Re:Built one of these, have you? by Cromac · · Score: 4, Informative

    3 or 4 years ago when I worked on the IE team there were nearly 400 people total on the team. That included devs, testers and program managers and various other levels of management. I don't remember how many where actually developers but 100+ wouldn't surprise me.