Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
*.02c
You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Jason Lotito
Yes I know Mozilla/Firefox is better and I use regularly. However I have to develop applications in ASP.net, basically Internet explorer as mandated as mandated for this application. Granted windows runs the majority of desktops here). Why cant Microsoft just build code that is at least semi-secure puhleeeeaaaaassseee....maybe it's time to pitch for a full out work switch to Mozilla/Open Source. Especially when it's a new vulnerability (or multiple vulnerabilities) once a week. *sigh*
Ok I'm through crying now Microsoft hear my pleas....
...in bed
This is absolutely no surprise, and seems at this point almost un-newsworthy. There are so many holes in the virtual screen door that we call IE, its becoming moot to mention them. Why not solve the problem at its base, and switch to Mozilla. I am director of IT at the company that I work for, and we all use Mozilla now, and I feel a lot better about this. I am waiting for 2 things though:
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
sigSEGV - doy!
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Read the EFF's Fair Use FAQ
IE is lacking in functionality compared to Mozilla, and the MS development cycle is inadequate to respond to this type of problem, IMO--but the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords.
It has never been Netscape based - despite AOL owning Netscape.
Netscape 4.x and older wasn't modular enough to embed in their client.
The Mac OS X version does use the Gecko rendering engine (which ain't 'Netscape' it's just the rendering engine) and Compuserve also uses Gecko.
But AOL has been IE based since they moved away from thier own browser.
to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...
I have a _very_ nontechnical friend. I recommended he install FireFox to get rid of popups. He did, and now HE is downloading it and installing it on all of his friend's machines!
Engineering and the Ultimate
I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.
.8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
Here is an email that I sent to my family members, I suggest that you do something similar.
.
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.
Anyone know of one? The terms are too generic for a quick google.
S
Sure, as Mozilla gains in popularity, viruses are going to increase, but there are a couple reasons why switching is still a good idea.
First off, as soon as an exploit is found, anyone can fix it. You don't have to wait for your manager to assign the task of developing a fix to you, develop it, send it to testing for a month of evaluation, then work with marketing to schedule it's release. In most cases a fix will be out the next day.
There's also the fact that increased market share for competing browsers reduces the incentive for creating viruses, trojans, etc. Say I'm a spammer, crime lord, activist, script kiddie, what have you. If I can develop a program that will allow me to infect 95% of the worlds PCs well, that's pretty cool. But if Moz/Firefox has 23% market share, Opera pulls another 14%, Safari/Konqueror back that up with 17%, and others grab 6%, That 95% of PCs I could infect developing an IE exploit drops to 40%. The incentive is nowhere near as great. Security through obscurity is a beautiful thing.
Like Windows users everywhere who use IE only for Windows Update, I went through the ritual of adding v5.windowsupdate.microsoft.com to my Trusted Sites list and disabling Active Scripting in my Internet Sites list today. This is a fresh[-ish] install of Windows XP SP2 RC2. I've never used trusted sites before on it. However, I noticed that there was already one entry in the list: https://free.aol.com Why was this? I don't use AOL- I don't even have it installed. I'm starting to sense some corporate brainwashing (and, a site that if cracked would give anybody full access to every copy of IE in SP2...). Has anybody else seen this?
My Systems
For awhile that security bugs in non-MS browser just don't happen with the same frequency or degree. Bugs in non-MS browsers *occured*, but they tended to be much more subtle bugs with lesser payloads, as opposed to MS which tends to wind up with seemingly really obvious security holes with serious consequences on a regular basis. For every "untrusted site may gain read access to cookies belonging to another site by a contrived series of steps" in Mozilla there was an "execute arbitrary remote code by clicking a link" in MSIE, it seemed.
Then last week the shell: bug in Mozilla was reported, and I was humbled. Perhaps, I thought, perhaps Mozilla wasn't really all *that* much better than MSIE, and I was being silly by my stance that MSIE was an unsafe product and Moz was a safe product. Maybe, I thought, trusting any software vendor is just as silly as trusting Microsoft.
Then I see this news today and I don't feel so humble anymore.
One thing I found odd, though. I haven't done a close study or anything, but when the mozilla vulnerability was found last week, it was very widely reported. I saw it at least twice on news.google.com and I believe on cnn.com. But with these new IE vulnerabilities? Well, maybe it's just too soon, but cnn.com has nothing on this-- it does have a story "renewed calls for alternate browsers" which mentions in the second paragraph two IE bugs that MS fixed already-- and news.google.com has nothing. And n.g.c's top tech story?
Microsoft CEO Touts Security Push at Conference
Reuters - 55 minutes ago
SEATTLE (Reuters) - Microsoft Corp. MSFT.O is taking a big step toward boosting the security of its flagship Windows product in August with the release of a major software update, Chief Executive Steve Ballmer said on Tuesday.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I build boxes for people when I can be bothered and one of the first things I so is to install Mozilla, provide shortcuts on the desktop and Start Menu and tell them "Use Internet Explorer and I won't provide support"... my girlfriends cousin started using IE because he found Iexplore.exe. I mean what the hell, when us techies are confronted by these kind of morons who *hunt* for the damn program what chance do we have? Suffice to say even with ZoneAlarm installed (he said yes to every connection in and outbound) he had a multitude of virii and a billion and a half spyware and toolbars... oh I also installed AVG and AdAware too. Sheesh.
I've noticed that everyone who is for abortion has already been born - Ronald Reagan
Lindows 2.0 "leaked"? a version of AOL for Linux that used Netscape
http://msnbc.msn.com/id/3078317/
A great many problems can be avoided simply by setting ActiveX controls to prompt for download, allow only ActiveX controls digitally signed by a trusted source to run (you can check the signature before you accept), and turn off active scripting. Yes, IE has problems, but in all fairness it probably has the dubious distinction of being the most analyzed, probed, and maliciously scrutinized software on the planet. Mod me down if you wish, but someone has to play devil's advocate.
"explorer.exe" - 980 KB
I'm fairly certain "iexplore.exe" is just a stub that launches "explorer.exe" on Windows XP systems. I think the two were distinct back in the Windows 95 days, but now they launch basically the same code.
As means of comparison, "firefox.exe" weighs in at 6.27MB on Windows, so it's fairly safe to assume that most of the Internet Explorer and Windows Explorer functionality is hidden away in miscellaneous libaries. (Like the ever-popular "mshtml.dll," which comes in a 2.66MB.)
As an example, I took the Explorer window I was using and checked the "About" dialog, it said "About Windows." I then entered "http://slashdot.org/" into the address bar, and rechecked the "About" dialog, and got "About Internet Explorer." I'm fairly certain that while there is an "iexplore.exe" file, all it does these days is launch "explorer.exe" with the options to make it act in "web browser" mode.
You are in a maze of twisty little relative jumps, all alike.
This one blew me away. I went to Windows Update and installed today's critical updates. After restarting my computer, Mozilla Firefox wouldn't run! I got the "has experienced an error and has to close" screen. So, I started uninstalling the patches. When I tried to uninstall 841873, I got a message that said that, if I continued with the uninstall, Mozilla Firefox would no longer function. The really interesting this is, once I uninstalled 841873, FIREFOX WORKED!!! No a conspiracy nut at heart, but this is just too coincidental. Has anyone else experienced this yet? Running XP with all current updates (except 841873) on a P4 3 ghz with 512K. Mozilla Firefox 0.9.2
Want to help a Microsoftie switch to Firefox? See if you can help, I'm sure once he gets it working he'll go and convert others...
[o]_O
When I was making it, I started to try to find out the best way to do it. I quickly found a way in IE to build it extremely easily. I could take advantage of some IE style property that would let me make the div act like a scroll box kind of thing. Where I could very easily scroll up and down.
Then I found out that this was only a IE style, and not w3 compatible. So then I had to resort to a nasty way of making the div act like a mask, and that as you scrolled down the mask would move down and then the div would have to move up. This is accetable, but it just nasty.
Anyway, my point is that, IE's addition to w3 style properites was actually easier to use then a w3 method.
Another point where there is discrepincies, is if you have a table cell with the style: style="border: 1 solid #000000; width:100px;" In IE that cell will have a width of 100px, and a border. While in mozilla it will put the border on the outside of the cell. So it's actual width will be 102px;.
ok.... now I'm ready for hate mail.
-asoap
Ps: I do prefer firefox to IE. I just have to develop for what most of the world uses.
Treat me like a marketing stat, and I'll treat your movie like a series of ones and zeros
Here's a task for you.
Style property "position:fixed;"
I want you to make a div that stays put on the page where you put it, and doesn't jump up and down on a page like a jumping bean when you scroll. It's easy enough in Opera/Mozilla, where the fixed position is supported. But IE doesn't recognize that attribute, so it sets the position to static. How then are you going to do it?
This problem took me almost 2 days of work to get working in IE. I had to create a toolbar for the top of a page that would scroll. I eventually found a few CSS hacks to do it, and it works great, although it does crash IE if combined with some other scripts, so it's not perfect.
My point is that while you have demonstrated one specific case where IE makes development a little easier, I think on the whole, the W3C methods just make life much easier than some de facto standard that Microsoft thought up on the spur of the moment. I code to standards because I prefer to write code that isn't bound to one specific version of one particular browser.
And if you check the specs of borders according to the W3C recommendation, you will find that Mozilla is behaving appropriately in the case of the table border. IE is in error. (However, the problem might go away in IE if you use aren't in quirks mode. (ie. use a correct doctype))
Once again, I regret posting in this discussion, as I would have loved to mod you down for being blatantly wrong.