Slashdot Mirror
4 New "Extremely Critical" IE Vulnerabilities
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.
So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.
surprise, surprise...all i want to know is why you need 9 patches for 4 holes. maybe the first patch fixes 1 and creates 5 more?
Sorry Funkdid, your bet of Wednesday for the next IE exploit was incorrect. However according to Price is Right rules your bet is the closest without going over, so you win!
Your prize today is 9 shiny new windows patches! And a new car!
Urge to post... fading... fading... RISING!... fading... fading... gone.
A spokesman for Microsoft said, "These are the last 4, we swear!"
I'm switching to Lynx.
First hit on Google:
/ black_tuesday.htm
http://mutualfunds.about.com/cs/1929marketcrash/a
"Black Tuesday is notorious for being the worst day in the U.S. stock market"...
You didn't even try, did you?
The day the stock market crashed in 1929, beginning the great depression.
... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.
How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?
And is there anything we can do to get this in the press?
*.02c
Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
http://slate.msn.com/id/2103152
You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.
This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.
Jason Lotito
Dear Staff,
IE has a vew unsolved vulnerabilities to say the least. Download the latest version of Firefox or Mozilla from http://www.mozilla.org/.
Thanks,
Bill G
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
but if i disable active scripting, i won't be able to access the windows update site! what's a girl to do?? ;)
Yes I know Mozilla/Firefox is better and I use regularly. However I have to develop applications in ASP.net, basically Internet explorer as mandated as mandated for this application. Granted windows runs the majority of desktops here). Why cant Microsoft just build code that is at least semi-secure puhleeeeaaaaassseee....maybe it's time to pitch for a full out work switch to Mozilla/Open Source. Especially when it's a new vulnerability (or multiple vulnerabilities) once a week. *sigh*
Ok I'm through crying now Microsoft hear my pleas....
...in bed
This is absolutely no surprise, and seems at this point almost un-newsworthy. There are so many holes in the virtual screen door that we call IE, its becoming moot to mention them. Why not solve the problem at its base, and switch to Mozilla. I am director of IT at the company that I work for, and we all use Mozilla now, and I feel a lot better about this. I am waiting for 2 things though:
1.IE to not be a part of the actual operating system (not going to happen, they've already committed)
and
2.Web Developers to write code that is compatible with all browsers (i.e.: not written just for IE, such that if another browser is noticed, service rendered unusable).
when this happens, i will be pleased.... until then, i guess we're going to be fighting off more exploits than one can shake a stick at.
sigSEGV - doy!
When all the sysadmins start jumping out of windows, you'll understand.
Internet Explorer in Windows XP SP2 Releae candidate is not vulnerable to any of these exploits.
*ahem*
An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta).
Yes, Microsoft gets attacked because they're the biggest target. No, I don't buy the argument that all OSes are inherently just as secure or insecure as other OSes. Just compare Windows 98 to Windows XP, or OpenBSD to Windows ME. All OSes are not the same, and marketshare is not the only factor.
Read the EFF's Fair Use FAQ
Built one of these, have you? Do tell, do tell.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Or does the very name of IE sound like a scream?
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?
Just imagine if cars were sold with this many problems. Or home security systems...
"He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.
MORTAR COMBAT!
There are no windows in the basement.
"Piter, too, is dead."
> I think blacktuesday has something to do with a stock market crash back in the day. 1987 maybe? I am not sure.
... "1987" ...
"back in the day"
God I feel old...
- For the complete works of Shakespeare: cat
It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.
If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.
Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
Boy, MS' spin control just gets more clever by the day...
Dangit, just one day before, and my band could have had a slashdotting. I couldda been a contenda.
Just set a box of Windows XP out in the field, and the worms keep rolling in. They stopped for a moment and we were afraid we would have to go back to the old method of using shovels and a bucket. But, like magic, they kept coming and coming.
All hail the Quizatz Hadderach!
I'm not quite sure how this is, but our collective websites run on our server generate around 2 million hits per month, and i would have to say that about 97-98% of them use IE.
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.
Read the only personal Runyon page out there.
Remember when 2000 was supposed to be the most secure ever? Then XP? Now it's Longhorn. I didn't believe them then and I don't believe them now.
I feel sorry for the poor Windows poopies. Paying big bucks to get porked like a cheap prom date. And not so much a kiss from Billy boy.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...
Put the Windows Update site into the "local sites" zone or whatever Internet Explorer calls it. Set the "local sites" security to the same as the Internet zone, and then switch Active Scripting off in the Internet zone.
This effectively emulates the domain-specific Javascript settings in other browsers.
"If people running windows were not so used to running as admin, this would not be a fundemental problem."
If Windows wasn't such a pain in the ass to run as a non-admin user, then this wouldn't be such a fundamental problem.
It's Tuesday.
The fourth vulnerability (createPopup) has already been exploited in phishing scams for some time now. Initial reports of the exploit only started coming in a couple months ago, even the vulnerability has existed since IE 5.5.
Scammers use it to mask the address bar and/or other browser widgets (such as the secure icon). This exploit is particularly dangerous because it can be used to mask/disguise any part of the user's screen, including other windows or even the start menu.
I submitted it to slashdot over a month ago, but it was never greenlighted. I guess these IE vulnerabilities are so commonplace it takes several at once to make the main page...
web design experiments
IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.
Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.
Life is short: void the warranty.
Marketshare is largely irrelevant. See Apache vs IIS.
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.
When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.
Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.
A feeling of having made the same mistake before: Deja Foobar
Can someone explain to me how an IE vulnerability can lead to a Sasser like virus? I thought Sasser was a worm that spread automatically through open ports of unpatched Windows machines, whereas IE vulnerabilities seem to have to be user initiated.
It seems like somebody was jelous of a certain other browsers bug now weren't they?
I stole this Sig
Microsoft Delays Windows XP Service Pack 2
Posted by simoniker on Monday July 12, @05:02PM
MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM
4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM
Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM
Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...
When are the masses going to learn?
That's why IT management, starting from the top down, needs to plan better.
There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.
The only significant benefit to doing IE-only development is the streamlined development tools.
This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?
.sigs are for post^Hers.
I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.
.8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.
But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.
I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.
Up until FireFox
So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.
The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...
Here is an email that I sent to my family members, I suggest that you do something similar.
.
This will be the last email that you will receive from me about security holes in Internet Explorer. Microsoft is not able to release patches quickly enough to secure Internet Explorer. The U.S. Department of Homeland Security now recommends that if users are unable to patch the security holes in Internet Explorer that they use another browser. Please switch to the latest version of Mozilla web browser. You can find this web browser at http://www.mozilla.org/
http://secunia.com/advisories/12048/
Andrew
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.
Anyone know of one? The terms are too generic for a quick google.
S
Like Windows users everywhere who use IE only for Windows Update, I went through the ritual of adding v5.windowsupdate.microsoft.com to my Trusted Sites list and disabling Active Scripting in my Internet Sites list today. This is a fresh[-ish] install of Windows XP SP2 RC2. I've never used trusted sites before on it. However, I noticed that there was already one entry in the list: https://free.aol.com Why was this? I don't use AOL- I don't even have it installed. I'm starting to sense some corporate brainwashing (and, a site that if cracked would give anybody full access to every copy of IE in SP2...). Has anybody else seen this?
My Systems
Imagine Microsoft releasing patches any day of the week/month, with no warning. Several times a month. Imagine yourself running around to each machine patching it, sitting down, and doing it all over again when a new patch comes out.
Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
You decide which is better.
There's already a lot of discussion going on about "use Mozilla/Firefox/Safari/Lynx/whatever", so I won't rehash that here. If you can pull it off in your environment, great.
There are a lot of environments, however, where switching from IE just isn't an immediate option. In the future, perhaps, but worm writers and virus scripters won't wait. So here's my advice, my hope, and my PLEA to all you I.T. guys out there.
No matter how much you hate IE, please, for the love of God, get your users to UPDATE THEIR SYSTEMS WITH THE PATCHES. Even if they don't use IE.
We can all save ourselves and each other a hell of a lot of hassle by taking Microsoft's efforts to patch their product as what it is: an effort (however feebly-, politically-, or economically minded) to secure their product. The viruses and worms generally aren't harmful to the user--it's all the network traffic that infected machines produce that is the major headache. Spam, pingfloods, DDoS, it all targets other services and the infrastructure on which we all depend. Be neighborly on the Internet, and make sure you've got your systems are secure as they can be, even if they're not the systems you'd prefer to run.
Switch browsers, yes. If it makes sense for you and you can do it, go for it. But don't let everyone on your site get infected in the meantime. Remember that the the majority of viruses and attack exploits out there in the past months have been proactively counteracted by Microsoft patches.
Infections are caused by morons who don't patch. DON'T LET YOUR USERS BE MORONS (to the extent that this is possible).
Thanks,
The Internet
I hate runas, its nothing like su or sudo. Quick rant here, oracle installed with permissions so that only Admin could access the dir. I couldn't change it. Tried to do as I would in KDE and do:
runasto pop open an Admin explorer shell to change the permissions on the dir. Just doesn't work. Command ran and nothing happened. In KDE its just a simple
su root -c konqueror
or for mesudo konqueror
or even ALT+F2, konqueror, "run as different user: root" and enter the password. Had to close everything I was working on (this is my work computer with ssh sessions, code files, and RDP sessions open), log out and log back in as Admin just to simply add my user to the list of allowed users. User-Friendly my assC Pungent
A great many problems can be avoided simply by setting ActiveX controls to prompt for download, allow only ActiveX controls digitally signed by a trusted source to run (you can check the signature before you accept), and turn off active scripting. Yes, IE has problems, but in all fairness it probably has the dubious distinction of being the most analyzed, probed, and maliciously scrutinized software on the planet. Mod me down if you wish, but someone has to play devil's advocate.
I just called my boyfriend and asked.
The solution for Palm hotsync:
Give the user Administrative-level access.
Install the Palm software.
Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).
Remove the user from the Administrators group.
Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
This one blew me away. I went to Windows Update and installed today's critical updates. After restarting my computer, Mozilla Firefox wouldn't run! I got the "has experienced an error and has to close" screen. So, I started uninstalling the patches. When I tried to uninstall 841873, I got a message that said that, if I continued with the uninstall, Mozilla Firefox would no longer function. The really interesting this is, once I uninstalled 841873, FIREFOX WORKED!!! No a conspiracy nut at heart, but this is just too coincidental. Has anyone else experienced this yet? Running XP with all current updates (except 841873) on a P4 3 ghz with 512K. Mozilla Firefox 0.9.2
To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.
UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.
The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.
It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.