Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
Solution:
Disable Active Scripting.
Use another product.
Get Firefox!
... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.
Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
http://slate.msn.com/id/2103152
This is seriously gotten rediculous. This is a web browser. It's not the most complicated thing in the world.
Not everything is analogous to cars. Car analogies rarely work.
Won't disabling active scripting disable windowsupdate? How then are the OSs supposed to stay up to date?
Not everything is analogous to cars. Car analogies rarely work.
[sarcasm]Secunia tells us that OS X, OpenBSD, and Linux are a cracker's dream compared to Windows! They have the statistics to prove it![/sarcasm]
52 Weeks, 52 Religions with John Hummel
"An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system."
Damned either way. Run Mozilla, if you aren't already.
At this point you really have to be a 100% Grade-A idiot to run IE.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If people running windows were not so used to running as admin, this would not be a fundemental problem. If Windows was more friendly to being used as a multi user system, then only the os would be the bottleneck (although still a significant one) in making a system secure. I mean, running a browser should be a fairly secure activity, after all, it is such a basic part of every day computer use.
ASP.NET in and of itself does not require IE. I develop ASP.NET apps using Mozilla as the primary browser. Sure there are ways to capitalize on IE but it is by no means a requirement unless you choose to make it one.
Dissolve... Resolve... Evolve...
Built one of these, have you? Do tell, do tell.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?
Just imagine if cars were sold with this many problems. Or home security systems...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.
MORTAR COMBAT!
There are no windows in the basement.
Only GNU/Linux can be installed on computers in basements???
I'm not quite sure how this is, but our collective websites run on our server generate around 2 million hits per month, and i would have to say that about 97-98% of them use IE.
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.
Read the only personal Runyon page out there.
What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.
Sarcasm aside here, to you or I, that would be fantastic, but that is a tactic that would be as sinister to resort to as the initial IE monopolization of the browser market. Ideally, we need absolute standardization, and with that we could have absolute compatibility. For those lost souls who "prefer" IE (those who have not been out from under the wool that MS/IE has pulled over their eyes) there still needs to be compatibility. It is then up to the users to deal with the risk they take in using an insecure browser.
sigSEGV - doy!
The management isn't telling these guys "Write me a buffer overflow, STAT!!"
If they can't code good software, that's their own damned fault and I don't feel bad for them.
- It's not the Macs I hate. It's Digg users. -
I know, but I never trust the client, especially if it's IE.
Dissolve... Resolve... Evolve...
You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.
No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ?
That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.
Sunny Dubey
Glad to know that Microsoft's human resources department isn't influenced by upper-management decisions...
"How to Do Nothing," kids activities, back in print!
Bullshit. You do what you are paid to do. In the end, it's the company's reputation and money at stake, so they get to make the calls. _ethically_, you should warn them of the issues, but if they then decide to go ahead... it's their decision.
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.
Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.
Life is short: void the warranty.
Actually, I'm afraid that SP2 will release on schedule because it's necessary to patch the earlier holes... That means that SP3 won't release for at least a month (development, testing, RC, etc) so the script kiddies have a huge window (ack, no pun intended) of time to play their games. I almost feel sorry for the IT staff responsible for large Windows installs...
would swiss cheeze have less holes if it were less popular? If Mozilla gains more support, then I would think that more programmers would be willing to look into bugs and make other contributions. If IE gains more support, what does Microsoft care? You can't do anything about it anyway. And that it seems to me, would be the difference - aside to that whole "integrated into the Operating System" flaw that IE has.
"How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?"
How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?
"Derp de derp."
sorry but this was fixed in firefox and mozilla a while ago. Opera was also fixed recently.
Join Team Mozilla #38050 Folding@home
IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.
When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.
Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.
A feeling of having made the same mistake before: Deja Foobar
Can someone explain to me how an IE vulnerability can lead to a Sasser like virus? I thought Sasser was a worm that spread automatically through open ports of unpatched Windows machines, whereas IE vulnerabilities seem to have to be user initiated.
Microsoft Delays Windows XP Service Pack 2
Posted by simoniker on Monday July 12, @05:02PM
MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM
4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM
Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM
Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...
When are the masses going to learn?
That's why IT management, starting from the top down, needs to plan better.
There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.
The only significant benefit to doing IE-only development is the streamlined development tools.
This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?
.sigs are for post^Hers.
The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...
Any complicated piece of software is bound to have some flaws, but the "dur.... let's have our web browser be able to run a 'format c:' from HTML tags! That's a great feature!" attitude at MS isn't helping their security woes. Apple and the Mozilla Foundation, on the other hand, seem to be taking security seriously, which probably means that, even had they the 95% market share, it's likely they would still have fewer viruses and security exploits.
So you're comparing Mozilla users' claims to better security to Apple users' claims is perhaps appropriate. However, implying that either of these claims are false is jumping the gun a bit.
Its the new browser wars, but this time its not about who looks the best its about who can manage to take the simple thing that is HTML, and turn it into the most deadly virus-pushing force known to computers. I think IE is definately in the lead on this, Mozilla did have a little lead with their shell bug but then we learnt the shocking news that they had stolen the technology from windows! now IE is back in its rightful lead and on its way into victory. And lets not forget IE's secret weapon: the ability to flood the screen with pop-ups at a moments notice, really how anyone could live without pop-ups is just beyond me.
This comment does not represent the views or opinions of the user.
Imagine Microsoft releasing patches any day of the week/month, with no warning. Several times a month. Imagine yourself running around to each machine patching it, sitting down, and doing it all over again when a new patch comes out.
Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
You decide which is better.
While the sitting on the hands question is a fair one, the proper answer is not a commercial - you'll never raise enough money to reach more than a thousand or tens of thousands of people - but media "scandal seeding".
1) Write one or more versions of a news story (many, many stories in the media are dropped in essentially as they were delivered to the media). Hopefully this includes a "human interest angle", like Grandma Sally being redirected goatse.cx or giving up her CC number to ch.ase.com. Use only a minimal of substantive or technical details to avoid people who don't want to think through them. Yes, this is doing reporters' work for them, but that's how you get stuff in circulation when you're outside the loop.
2) Call (email might work, but probably not as well) the editors of Style/Living/Consumer Affairs pages of newspapers and TV stations and pitch em the story. Again, this is reporter work, but it gets the story in the news.
3) Lather, rinse, repeat. Fan the flames by providing more juicy details with human interest angles - disgruntled MS employee, evidence that problem is far wider than acknowledge "they don't want to you to know this...", speculations about apocalyptic collapses of the economy. Involve porn to feed the public's prurient side. Modify the story a bit for consumption by other stations/papers/etc as it evolves.
This is how most political scandals evolve - someone plants the story and fans the flames for a week or two in the public gets tired of it. To do real damage, you sync the stories with lulls in other news and cycles of public mood.
"Exploit yes, root exploit, no, not unless the user is running as an Administrator. IE still runs at the privileges of the logged on user."
the sad truth is that no one I know has folks set up as "Users" or "Limited Accounts" unless its a guest account. Also, any new computers that are purchased end up with XP asking for a person's name to set up an account. This account is always an account in the administrators group. 99% of XP users use this account at their primary, not understanding the difference.
In addition, those that do set up limited accounts many times discover that [insert pre-XP software package here] doesn't work with Limited accounts so they revert back, or they use the Power User account which is almost as bad as administrator.
Damned if you do, damned if you don't.
(a) folks
Is the juice worth the sqeeze?
>I suggest that you do something similar.
As a Canadian, why would my family care what the American Dept of Homeland Security says?
And just to add something, I did suggest it to them sometime ago.
Then the exploit for Mozilla came out, now they are asking me why they went through all the trouble of changing browsers.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Black Tuesday denotes the crash of the U.S. stock market in 1929 that started the Great Depression. There was a recession in the late 80s, but it was far from a depression.
How many more years of baseless stupidity of open security holes must we endear?
How much longer is security through obsurity going to carry a clueless monopoly to its demise.
Patience has its virtue. But for the end-user, only fools would get lucky. Not this time, Bill.
I'm sticking with Firefox/Mozilla. Mozilla
Thank you open-source for opening my eyes to a better software through open-colloberation and open-cooperation. You've shatter my belief that corporation can fix after themselves.
Instead, we see tons of industries built upon MS insecurities.
Time to experience another industry bubble-burst, this time in the security sector, not I&T.
Also, w3m is a text browser with image support (no idea how, but it works)
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
I hate runas, its nothing like su or sudo. Quick rant here, oracle installed with permissions so that only Admin could access the dir. I couldn't change it. Tried to do as I would in KDE and do:
runasto pop open an Admin explorer shell to change the permissions on the dir. Just doesn't work. Command ran and nothing happened. In KDE its just a simple
su root -c konqueror
or for mesudo konqueror
or even ALT+F2, konqueror, "run as different user: root" and enter the password. Had to close everything I was working on (this is my work computer with ssh sessions, code files, and RDP sessions open), log out and log back in as Admin just to simply add my user to the list of allowed users. User-Friendly my assC Pungent
> Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
> You decide which is better.
That depends on your goal..
If yoru goal is to get as many patches installed in as little time as possible, the planning oppertunities that MS gives are very nice..
When you are just interested in keeping your machines secure, and somehow you must run windows on them, then this policy is simply unusable since it will leave a much larger timeframe for exploitation.
Your boss may be interested in statistics when thigns work, but will still get pissed off about that one major security compromise regardless of those statistics.
To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.
UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.
The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.
It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.
You post has made me wonder: at what point does something stop becoming a vulnerability and just complete user stupidity? For instance, in IE you can have it ask if it should run an ActiveX on any given webpage, but with a user like the one you mentioned that doesn't seem to stop and make him think if a certain webpage really needs to use ActiveX scripting. Now whose fault should that be? Microsoft's? or the users? I think in fairness here I should note that Mozilla/Firefox's XPI interface could be used in a similar way to have "viruses" or harmful code installed simply because the user clicked yes.
I think that if I was to create boxed sets of viruses or harmful applications that simply wipe out a users data, stick them on store shelves, and give them an appealing slogan on the box, eventually some user would install that package on their computer. Now, can that be considered a hole in the os? I should think not, afterall the user intentionally installed the software. I think a similar argument can be made about ActiveX or XPI, just that these systems make it overly easy to get someone else's code running on your system. After all, that was what they were designed to do in the first place.
Once a program has warning windows telling the user to make sure they really want to run the code that the website has presented the program has done all it can to make sure only legit code is run. Now, I don't like ActiveX and think it is a large vulnerability but I think that at some point you really have to blame the user.
One thing MS needs to do is provide a warning that ActiveX (and other technologies) is about to be used the default setting (I like the way the XPI warning box in Firefox works). However, even if MS used a warning like this: "Warning! Clicking yes may seriously jepordize your computer and all the information on it!" people would still probably click yes without thinking, especially if they visit trused sites that use a lot of ActiveX.
I think at this point we should blame the user. After all, they are the one who is supposed to be in controll, the one telling the computer what to do. They should also be held accountable of making decisions that are healthy for the computer. I mean the human is infinetly more intelligent than the computer, so why should the computer be the one trying to think for the human? However, the sad truth is that most users are just not educated enough to make good desicions for themselves and their computers.
SIGFAULT
I'm going to try very hard not to be mean. Seriously, did you (and everyone else who replied to the challenge to list one thing IE does better) not realize what you're saying???
These are IE-specific things!!! You're comparing apples and oranges. The only sane response is probably drag-n-drop bookmarks. Not IE-only CSS hacks! Look at it this way:
Seriously, that's what it sounds like. Next you'll say that IE is better because of Active-X. Who gives a shit if IE has some IE-only, embrace and extend version of CSS? That's not the mark of a better browser, that's MS using their market dominace to screw with standards just enough to lock-out competitors. I'm open to "participating in a creative discussion", but be creative.
Considering the source of the study, I'll pass on comment. I think this says enough.
Imagine Microsoft making software that is so full of security holes that they are forced to release patches several times a month, every month.
Now imagine Microsoft making products that are more manageable and secure from the start, so that releasing more than one patch per quarter is an extremely rare occurance, and updating is a simple procedure that only requires rebooting your server if you're updating the core of the operating system.
You decide which is better.
OK, for what ever reason, you can't switch all your users to a mozilla based browser for politics or whatever reason. but YOU should switch as should anyone with domain admin rights.
Asumming you have some control, your users have "user" rights. But YOU have "Admininstrator" rights too all \\workstations & \\servers...
All it would take is YOU clicking on the wrong link and bye-bye domain.
(as if your ego would allow you to assign yourself a meager 'user' account.)