Slashdot Mirror

← Back to Stories (view on slashdot.org)

4 New "Extremely Critical" IE Vulnerabilities

Posted by CmdrTaco on from the are-you-ready-for-fun-and-excitement dept.

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."

49 of 1,081 comments (clear)

  1. "Trusted Computing" by KevinKnSC · · Score: 5, Interesting
    I especially liked this part:

    An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.

    So SP2, which is supposed to make Windows super-safe (even at the expense of backwards-compatibility in some case) may have actually introduced an IE bug.

    1. Re:"Trusted Computing" by The-Bus · · Score: 5, Funny

      Well at least it's nice of the virus/exploit writers to find flaws now as opposed to during its official release in August...

      --

      Small potatoes make the steak look bigger.

  2. surprise by birdwax2k · · Score: 5, Funny

    surprise, surprise...all i want to know is why you need 9 patches for 4 holes. maybe the first patch fixes 1 and creates 5 more?

  3. The /. Pool by CommanderData · · Score: 5, Funny

    Sorry Funkdid, your bet of Wednesday for the next IE exploit was incorrect. However according to Price is Right rules your bet is the closest without going over, so you win!

    Your prize today is 9 shiny new windows patches! And a new car!

    --
    Urge to post... fading... fading... RISING!... fading... fading... gone.
    1. Re:The /. Pool by Zak3056 · · Score: 5, Funny

      However according to Price is Right rules your bet is the closest without going over, so you win!

      Your prize today is 9 shiny new windows patches! And a new car!

      <game show music>

      But that's not all, Funkdid! Bob Barker is also going to come to your house and personally neuter your dog! Actual retail price of Bob neutering your dog, $129.99!

      </game show music>

      --
      What part of "shall not be infringed" is so hard to understand?
    2. Re:The /. Pool by funkdid · · Score: 5, Funny
      Awesome! hahahha

      If only it was announced tomorrow, I would have won both showcases!!!!!!

      --

      I boycott signatures

  4. Breaking News by Anonymous Coward · · Score: 5, Funny

    A spokesman for Microsoft said, "These are the last 4, we swear!"

    1. Re:Breaking News by JimDabell · · Score: 5, Insightful

      What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.

  5. Oh, for god's sake! by Anonymous Coward · · Score: 5, Funny

    I'm switching to Lynx.

  6. Re:At what point... by slash-tard · · Score: 5, Funny

    Im just glad I use AOL to get my interweb.

  7. Re:Black Tuesday? wth? by cuzality · · Score: 5, Informative

    First hit on Google:

    http://mutualfunds.about.com/cs/1929marketcrash/a/ black_tuesday.htm

    "Black Tuesday is notorious for being the worst day in the U.S. stock market"...

    You didn't even try, did you?

  8. Why don't... by Iphtashu+Fitz · · Score: 5, Insightful

    ... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.

  9. Mainstream Media by aghorne · · Score: 5, Interesting

    How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?

    And is there anything we can do to get this in the press?

    --
    *.02c
    1. Re:Mainstream Media by DrAegoon · · Score: 5, Interesting

      It's already starting. When I visited my (non-techie) parents last week both of them had heard news on the TV or radio about the IE exploit. My dad actually asked me to install Firefox because the story he heard had mentioned it was safer than IE. In a perfect world the mainstream media would keep this up and give Microsoft a real reason to write better code.

      Unfortunately we live in the real world. If Micorsoft kept getting large amounts of bad press every time it announced a new exploit it would try even harder to hide the flaws instead of releasing a fix.

    2. Re:Mainstream Media by NanoGator · · Score: 5, Insightful

      "How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?"

      How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?

      --
      "Derp de derp."
  10. Obligatory FireFox Boosterism by diagnosis · · Score: 5, Insightful

    Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
    http://slate.msn.com/id/2103152

  11. IE Developers by thenextpresident · · Score: 5, Interesting

    You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

    This is not something you want to wake up to as a developer, whether it's proprietary or open source. It's just that they can't make decisions based on solving the problem alone, they have so much red tape to go through to make changes, that even though they might want to solve this problem, someone on the top is making it difficult.

    --
    Jason Lotito
    1. Re:IE Developers by phoxix · · Score: 5, Insightful

      You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

      No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ?

      That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.

      Sunny Dubey

  12. Internal MS Memo by ccoder · · Score: 5, Funny

    Dear Staff,

    IE has a vew unsolved vulnerabilities to say the least. Download the latest version of Firefox or Mozilla from http://www.mozilla.org/.

    Thanks,
    Bill G

    --
    "During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
  13. Re:Solution: by headblur · · Score: 5, Insightful

    but if i disable active scripting, i won't be able to access the windows update site! what's a girl to do?? ;)

  14. Re:Black Tuesday? wth? by Synesthesiatic · · Score: 5, Funny

    When all the sysadmins start jumping out of windows, you'll understand.

  15. Re:At what point... by Grey+Ninja · · Score: 5, Funny

    Well, we know for sure at this point that ActiveX works. And the code for creating popups is working quite nicely. Of course, there is the odd time that when autoinstalling some ActiveX controls to autospawn more popups, and creating some more popups at the same time, it can go into an infinite loop and crash, but on the whole, it works quite nicely. =)

  16. Built one of these, have you? by Saeed+al-Sahaf · · Score: 5, Insightful
    This is a web browser. It's not the most complicated thing in the world.

    Built one of these, have you? Do tell, do tell.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  17. Re:No Surprise by man_ls · · Score: 5, Interesting

    If the Mozilla Foundation came up with an open-source replacement for shdoclc.dll (the Internet Explorer Rendering Engine) you could replace the IE application backend with the Firefox application backend.

    If you ask me, that's something people should be working towards.

  18. Is it just me? by Cro+Magnon · · Score: 5, Funny

    Or does the very name of IE sound like a scream?

    --
    Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  19. Will the masses heed the warnings? by chia_monkey · · Score: 5, Insightful

    We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?

    Just imagine if cars were sold with this many problems. Or home security systems...

    --

    "He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
  20. simple answer by MORTAR_COMBAT! · · Score: 5, Insightful

    because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.

    --
    MORTAR COMBAT!
  21. Re:Black Tuesday? wth? by chris_mahan · · Score: 5, Funny

    There are no windows in the basement.

    --

    "Piter, too, is dead."

  22. Re:Black Tuesday? wth? by hoggoth · · Score: 5, Funny

    > I think blacktuesday has something to do with a stock market crash back in the day. 1987 maybe? I am not sure.

    "back in the day" ... "1987" ...
    God I feel old...

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  23. W3schools isn't indicative of the entire web by friedegg · · Score: 5, Informative

    It's skewed highly towards the web developers/more technically inclined, BUT the fact that non-IE browsers are doing so well there is a GREAT sign, as it means web designers are moving away from IE.

    If you want a better general representation of the web, Google's Zeitgeist web browsers graph (from May) is a better place to look. If you zoom in, you do see that the Mozilla based browsers are slowly gaining.

    --
    Google doesn't index user sigs, so stop trying to "Google Bomb" with them.
  24. Re:Solution: by Anonymous Coward · · Score: 5, Funny
    Naturally, the only thing that can distract screeching Slashbots from frothing over a new Windows vulnerability is the rare presence of a girl.

    Boy, MS' spin control just gets more clever by the day...

  25. Re:At what point... by Anonymous Coward · · Score: 5, Funny

    At what point do we have /. change the IE topic icon to have bugs crawling all over it and eating holes?

  26. Re:At what point... by mirko · · Score: 5, Informative

    It's an MSIE5/6 which also support shell: URLs :)

    --
    Trolling using another account since 2005.
  27. My company has one clients who refuses... by bob670 · · Score: 5, Interesting

    to consider any that isn't an MS product. He is a staunch Redmond supporter, won't even concede the imporatance of Unix/Linux/Mac ever, as if they never existed. I have been hitting him with links from these stories for almost a year straight, he just called, wants to me to start having our desktop guys install FireFox on his desktops next week. Chalk up one more for the good guys...

  28. Re:Solution: by JimDabell · · Score: 5, Informative

    Put the Windows Update site into the "local sites" zone or whatever Internet Explorer calls it. Set the "local sites" security to the same as the Internet zone, and then switch Active Scripting off in the Internet zone.

    This effectively emulates the domain-specific Javascript settings in other browsers.

  29. In Other News... by lukateake · · Score: 5, Funny

    It's Tuesday.

  30. IE is NOT a web browser by gunnk · · Score: 5, Insightful

    IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.

    Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.

    --
    Life is short: void the warranty.
    1. Re:IE is NOT a web browser by Anonymous Coward · · Score: 5, Insightful

      My guess is at least 90% of the home users DOES run through an account with admin rights.

    2. Re:IE is NOT a web browser by gnuman99 · · Score: 5, Insightful
      Exploit yes, root exploit, no, not unless the user is running as an Administrator.

      Good one. You can't even run some MS developer software without root (hmm, Administrator) privileges! (eg. eVC++ 4.0). And let's not even start about non-MS software (eg, games). Using a MS box without administrative priv. is like having a car with no engine - nothing works!

      Hell, when Administrative priv. are required, what does Windows software do? It pops up, "You have to be running as an Administrator to ...". It doesn't even ask you for Admin. password to complete its function. You just have to relogin. And thanks to the great "multi user capabilities", you have to log out of your current session first.

      Running the OS as a non-Admin is like trying to run with pains-ticks up your ass. And then running as an Admin seems not much better (see story)!!

      PS. I think MS's "Run As..." needs an extra 's'. At least 'su' works!!

  31. Be Fair! by ackthpt · · Score: 5, Insightful
    At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

    IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.

    When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.

    Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Be Fair! by Entropius · · Score: 5, Insightful

      What, honestly, does it do right that other browsers consistently get wrong? This isn't a rhetorical question--I'm curious.

      The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.

      IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.

      Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.

    2. Re:Be Fair! by ackthpt · · Score: 5, Insightful
      But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.

      As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.

      I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.

      What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.

      Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.

      --

      A feeling of having made the same mistake before: Deja Foobar
  32. It's hard to stop laughing ... by btsdev · · Score: 5, Insightful

    Microsoft Delays Windows XP Service Pack 2
    Posted by simoniker on Monday July 12, @05:02PM

    MSN, Word Vulnerable To Shell: URI Exploit
    Posted by timothy on Monday July 12, @07:42PM

    4 New "Extremely Critical" IE Vulnerabilities
    Posted by CmdrTaco on Tuesday July 13, @11:45AM

    Microsoft Expects 1 Billion Windows Users by 2010
    Posted by CmdrTaco on Tuesday July 13, @08:14AM

    Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...

    When are the masses going to learn?

  33. Even MS Fans Are Switching by Anonymous Coward · · Score: 5, Interesting

    I'm a fan of Microsoft. I like most of their products. I make a living off their development tools and platforms. I'm incredibly happy with Windows 2003 Server. I typically defend Microsoft whenever I get the chance.

    But not when it comes to IE. It is fairly clear to me, and anybody else whose mind is not clouded with zealotry, that IE is the single best attack vector into the average personal computer. Nearly all PC users use IE for a significant portion of the day, and nearly all of those users have no idea that visiting a web site could be dangerous.

    I stopped using IE about 6 months ago when a web page managed to install spyware on my machine. I was fully patched, but it happened anyway. If it weren't for McAfee Antivirus, I never would have known. I've been using FireFox ever since.

    Up until FireFox .8 (or so), IE was the better browser if you ignored security issues. But you can't ignore security issues. And now that FireFox is just as good (and better in many ways) than IE, I can't see any rational reason to continue to use IE.

    So, there you have it. A diehard Microsoft fan dumping IE like a bad habit.

  34. The real problem? by bonaman_24 · · Score: 5, Insightful

    The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...

  35. Perfect Exploit by TheTomcat · · Score: 5, Interesting

    I'd like to get my hands on an exploit that installs Firefox, with the IE theme, and then replaces all desktop and startmenu shortcuts with a pointer to Firefox. Also changes the default browser.

    Anyone know of one? The terms are too generic for a quick google.

    S

  36. Re:At what point... by BobLenon · · Score: 5, Funny

    In terms of software engineering, IE has proved to be quite the extensible piece of software. Look at how many people are out there developing "addons" with little trouble ;)

    That and they are so easy to install.

    --

    /* Lobster Stick To Magnet!*/
  37. The Palm hotsync solution by Dimensio · · Score: 5, Informative

    I just called my boyfriend and asked.

    The solution for Palm hotsync:

    Give the user Administrative-level access.

    Install the Palm software.

    Explicitly grant the user access to the installed Palm files in Program Files (rather than doing it via Group access).

    Remove the user from the Administrators group.

    Voila. Palm hotsync works without Admin rights. The temporary Administrator rights are needed so that the installer can create certain user-specific registry keys. Another way to do it is to install it under an Administrator's account and then export/import the reg keys, but my boyfriend reports that temporarily setting up the user with Admin rights is overall easier.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  38. you need a history lesson by dekeji · · Score: 5, Insightful

    To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.

    UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.

    The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.

    It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.