Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
*.02c
You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Jason Lotito
Yes I know Mozilla/Firefox is better and I use regularly. However I have to develop applications in ASP.net, basically Internet explorer as mandated as mandated for this application. Granted windows runs the majority of desktops here). Why cant Microsoft just build code that is at least semi-secure puhleeeeaaaaassseee....maybe it's time to pitch for a full out work switch to Mozilla/Open Source. Especially when it's a new vulnerability (or multiple vulnerabilities) once a week. *sigh*
Ok I'm through crying now Microsoft hear my pleas....
...in bed
This is absolutely no surprise, and seems at this point almost un-newsworthy. There are so many holes in the virtual screen door that we call IE, its becoming moot to mention them. Why not solve the problem at its base, and switch to Mozilla. I am director of IT at the company that I work for, and we all use Mozilla now, and I feel a lot better about this. I am waiting for 2 things though:
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
sigSEGV - doy!
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Read the EFF's Fair Use FAQ
IE is lacking in functionality compared to Mozilla, and the MS development cycle is inadequate to respond to this type of problem, IMO--but the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords.
It has never been Netscape based - despite AOL owning Netscape.
Netscape 4.x and older wasn't modular enough to embed in their client.
The Mac OS X version does use the Gecko rendering engine (which ain't 'Netscape' it's just the rendering engine) and Compuserve also uses Gecko.
But AOL has been IE based since they moved away from thier own browser.
to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...
I have a _very_ nontechnical friend. I recommended he install FireFox to get rid of popups. He did, and now HE is downloading it and installing it on all of his friend's machines!
Engineering and the Ultimate
I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.
.8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
Here is an email that I sent to my family members, I suggest that you do something similar.
.
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.
Anyone know of one? The terms are too generic for a quick google.
S
Like Windows users everywhere who use IE only for Windows Update, I went through the ritual of adding v5.windowsupdate.microsoft.com to my Trusted Sites list and disabling Active Scripting in my Internet Sites list today. This is a fresh[-ish] install of Windows XP SP2 RC2. I've never used trusted sites before on it. However, I noticed that there was already one entry in the list: https://free.aol.com Why was this? I don't use AOL- I don't even have it installed. I'm starting to sense some corporate brainwashing (and, a site that if cracked would give anybody full access to every copy of IE in SP2...). Has anybody else seen this?
My Systems
A great many problems can be avoided simply by setting ActiveX controls to prompt for download, allow only ActiveX controls digitally signed by a trusted source to run (you can check the signature before you accept), and turn off active scripting. Yes, IE has problems, but in all fairness it probably has the dubious distinction of being the most analyzed, probed, and maliciously scrutinized software on the planet. Mod me down if you wish, but someone has to play devil's advocate.
This one blew me away. I went to Windows Update and installed today's critical updates. After restarting my computer, Mozilla Firefox wouldn't run! I got the "has experienced an error and has to close" screen. So, I started uninstalling the patches. When I tried to uninstall 841873, I got a message that said that, if I continued with the uninstall, Mozilla Firefox would no longer function. The really interesting this is, once I uninstalled 841873, FIREFOX WORKED!!! No a conspiracy nut at heart, but this is just too coincidental. Has anyone else experienced this yet? Running XP with all current updates (except 841873) on a P4 3 ghz with 512K. Mozilla Firefox 0.9.2
Here's a task for you.
Style property "position:fixed;"
I want you to make a div that stays put on the page where you put it, and doesn't jump up and down on a page like a jumping bean when you scroll. It's easy enough in Opera/Mozilla, where the fixed position is supported. But IE doesn't recognize that attribute, so it sets the position to static. How then are you going to do it?
This problem took me almost 2 days of work to get working in IE. I had to create a toolbar for the top of a page that would scroll. I eventually found a few CSS hacks to do it, and it works great, although it does crash IE if combined with some other scripts, so it's not perfect.
My point is that while you have demonstrated one specific case where IE makes development a little easier, I think on the whole, the W3C methods just make life much easier than some de facto standard that Microsoft thought up on the spur of the moment. I code to standards because I prefer to write code that isn't bound to one specific version of one particular browser.
And if you check the specs of borders according to the W3C recommendation, you will find that Mozilla is behaving appropriately in the case of the table border. IE is in error. (However, the problem might go away in IE if you use aren't in quirks mode. (ie. use a correct doctype))
Once again, I regret posting in this discussion, as I would have loved to mod you down for being blatantly wrong.