Latest Version of MyDoom Exploits New IE Flaw

techentin writes " CNN Money is reporting a new and improved MyDoom variant which is spread by a hyperlink in email. Clicking the link connects the user to an infected machine, which exploits a recently discovered buffer overflow in Internet Explorer. McAfee has a more detailed description. Is this yet another good reason for running Firefox?" CNET also has a story.

Awww, Microsoft is so sweet

Give Firefox such a big present for their 1.0 release.

Re:Awww, Microsoft is so sweet

I would agree with you, except it seems that IE exploits are found pretty much every day that ends in "y".

Re:Awww, Microsoft is so sweet

[Dr+Caleb]

Release? It wasn't 'released', it 'escaped' . . . ;)

Re:Awww, Microsoft is so sweet

[superpulpsicle]

Despite what mozilla marketing said, the "PR" was the biggest reason why so many weren't ready to try it. Some people said it stood for...

public-release

pre-release

post-ready

potentially-redhot

protected-by-raven

pissed-on-redmond

Re:Awww, Microsoft is so sweet

[Fortran+IV]

Does 'Y' count as a vowel? What about 'W'?

Y can be a vowel or a consonant. W seems to be mainly an expletive, these days.

Re:Awww, Microsoft is so sweet

[Airconditioning]

So there wont be an exploit released Tomorrow? :D

CNN Story

[AKAImBatman]

It's pretty neat how far FireFox is beginning to spread. CNN carried this story on TV just a half-hour ago. They mentioned that FireFox was becoming the most popular alternative to IE. My coworkers (who's job includes watching CNN) came by and asked me why this FireFox thing is better. I told them about tabbed browsing, popup blocking, lack of security issues, and other niceties.

One of the coworkers downloaded FireFox right away. I actually expected him to take a little while to wean off of IE. After I showed him FireFox's features, however, he set FireFox to his default browser and deleted his IE shortcuts! I think we're definitely making headway. :-)

Re:CNN Story

[scribblej]

"Lack of security issues?"

Okay, I'll grant you that FireFox is probably more secure than IE. But to say it lacks security issues is going a little further than I'd go, myself. In fact, I'd be willing to bet you $10 that it has security issues of it's own.

Don't sell your friend a dream. Set his expectations realistically. No software is bulletproof. No software lacks security issues.

Firefox f-ing rocks, no doubt about it. It blows IE out of the water. It probably has far fewer security holes. But to say it "lacks security issues" is naieve.

Don't believe everything you read on slashdot. A lot of these people have an agenda to meet.

Re:CNN Story

[w1r3sp33d]

Now show him http://slackware.com/ and he shall become more powerful than you can possibly imagine.

Re:CNN Story

[AKAImBatman]

I believe I put it as, "lack of security issues like the one pointed out by CNN" as well as "It helps protect against Spyware". It's true that FireFox is not invulnerable (e.g. the download bug), but it's nearly there for most users.

Remember how FireFox handled the download bug? Old copies of the browser would actually be redirected to an auto-update site. Click a button, wait for a few kb download, and voíla! A secure browser. :-)

Re:CNN Story

[That's+Unpossible!]

As a fellow grammar Nazi, let me explain that the person you're responding to meant Firefox lacks security issues COMPARED TO INTERNET EXPLORER.

It's like saying a program lacks features. Obviously you don't mean it has no features -- just that it lacks features, WHEN COMPARED TO ANOTHER PRODUCT.

Re:CNN Story

[Tackhead]

> Will someone puleeese explain what's so great about tabbed browsing? Do I really need another mini window manager inside of my application? And for most Windows users moving away from XP most of the tabbing is already done by the task bar. I like Firefox as much as the next guy. I seriously entertain the idea that I'm missing something here. Something BIG. So tell me.

1) Go to www.BigNewsSiteorFaveBlog.com
2) Decide you want to read 15 of the 30-40 news articles available to you.

Then either:

3-Tabbed) Click on the things that look interesting, and keep clicing on interesting while the 15 news articles load in separate tabs. By the time you've clicked the 15th thing, 10 of the 15 articles have already loaded and been rendered for you in their tabs. Hover the mouse button over an "X", and click once to close the tab without moving. (sweet on a conventional mouse, and really sweet on a touchpad-based laptop!)

or:

3-Untabbed-option-1) Click on the interesting thing. Click "back" (hoping that the stupid marketroids at the website haven't borked "back" on you). Click on the second interesting thing. Wait for the HTTP session to start. Read the article. Click "back" (and wait for the HTTP session to start as the original reloads). Click on the third interesting thing. Wait for... [repeat 15 times].

or: 3-Untabbed-2) Click on the interesting thing in a new window. When window focus changes to the newly-popped-up window, curse, and click on the first browser window. Click on the second interesting thing to pop up the next article in a new window. When window focus changes, curse, and click on the first browser window. [ ... repeat 15 times.]

If you read at the pace of a slug, and/or spend more time scrolling the article because you render all fonts in 24-point Gothic, tabbed browsing offers little advantage, because you spend a lot more time reading and scrolling through the article than you do loading and rendering it.

If you read quickly, and/or cram enough text onto the page to see an entire page with one or two presses of PgDn, the 500-1000 milliseconds of HTTP session initialization, page-loading, and HTML-rendering time is an appreciable fraction of the time you spend reading an article. For CNN articles, we're talking about 5-10 paragraphs of text (5-10K of text, tops) and hundreds of kilobytes of frames, ads, banners, style sheets, and other crap that has to come down the pipe (often requiring multiple HTTP sessions to different websites - DNS lag can also come into play), and that ratio can be significant.

Anything you can do to minimize the amount of time you spend waiting for content relative to reading content is a Good Thing. The larger that ratio of waiting:reading is, the bigger the advantage offered by tabbed browsing.

Re:CNN Story

[Frogbert]

For me personaly the security issues with Firefox have always seemed a lot less dangerious then with those of Internet Explorer. What especialy annoys me about Internet Explorer is its constant ability to be infected with various toolbars and browser hijackers and dialers. These things are automaticaly installed in a lot of cases and, correct me if i'm wrong, firefox doesn't have vunerabilies to the same extent that are as wide spread.

I don't typicaly get these things installed unless it is an automaticaly installing problem however my friends and family all had problems with Internet Explorer getting bogged down with this crap. I know once I install firefox I'll have a lot less crap to clean up when I next fix their computers.

Re:CNN Story

[LuxFX]

Firefox f-ing rocks, no doubt about it. It blows IE out of the water. It probably has far fewer security holes. But to say it "lacks security issues" is naieve.

The last security bug I remember hearing about in Firefox had a working patch to fix the problem very quickly. In fact, it was released by about the time I had finished reading the alert in the first place. Microsoft, on the other hand, takes considerably longer.

It's one thing to admit there are security vulnerabilities in Firefox. There have been, and there will continue to be vulnerabilities discovered in Firefox. But as long as the Firefox community fixes these vulnerabilities as quickly as they have in the past, I don't think it's fair to say that Firefox has security issues.

Microsoft, of course, has both security vulnerabilities and security issues. It becomes an issue when the vulnerabilities aren't dealt with quickly enough.

Semantics, I know.... But there is a crucial difference.

LIES

A bug in IE? I won't believe it till I see i--

In other news...

[simdude585]

Microsoft today announced that it was going to leave IE users to fix their own patches...

teach kids that IE is dangerous

[t_allardyce]

Can they start teaching in school that using IE is like having un-protected sex with 15 donkeys? or would Microsoft complain?

Re:teach kids that IE is dangerous

[Ayaress]

I used a simmilar metaphor (using IE without a firewall is like having unprotected group sex blindfolded was the one I used). One person I told this two actually STOPPED using Mozilla, though, so I tend to stay away from the sex metaphors now.

Wow!

[mindaktiviti]

People still use IE?

big deal

ok so they accidently leave one bug in their browser and everybody jumps all over them. big deal!

A good reason for using Firefox, or ...

[eqkivaro]

users could pull their heads out of their asses and stop clicking on links in SPAM.

Re:A good reason for using Firefox, or ...

[chill]

users could pull their heads out of their asses and stop clicking on links in SPAM.

Bzzzt, wrong answer.

Most viruses come from people you know, since they exploit the address book feature. Most spam comes from people you never heard of.

Thus, it is the links in the e-mail from people you KNOW, not spam, that is the problem.

Re:A good reason for using Firefox, or ...

[aardvarkjoe]

I don't usually get mail from people I know telling me that Paypal has charged my credit card.

Could be a trick

[SlayerofGods]

How do we know the link to the story isn't just a trick to get us infected?

Better the losing side.

[jbrelie]

Let's not be hasty. True, I love Firefox, but IE is a giant honey pot out there for malicious attackers. If too many people switch, they'll start targeting Firefox. As much as I hate to admit it, they WILL find flaws to target.

Re:Better the losing side.

[stefanlasiewski]

they WILL find flaws to target

Sure, but will those flaws in Firefox as serious as the flaws in IE?

It seems like when Microsoft attempted to integrate IE with the OS, IE was allowed access the OS in some very dangerous ways.

For instance, why would earlier versions of IE write files to any directory without asking the User for permission?

ClamAV stopped this 5 hours ago

[jtsoong]

After seeing this posted i checked my pattern files on the mail server.

Happy to see that ClamAV had the pattern files through a cron job 5+hours ago.

If only

[fluxrad]

Man, if only there were some browser we could use instead of IE...

Oh well.

SP2

SP2 not vulnerable... Upgrade or perish.

Scary social engineering

[GQuon]

This isn't about this particular worm, but recently made it though my spam filters and IDS:
----
Re: my bill
From: [from address, probably spoofed]
To: [My adress]

Requested file.

+++ Attachment: No Virus found
+++ [Name of antivirus software] - [website of antivirus software]

bill.zip
-----
The zip contained a pif file with a .rtf ending.

Particularly scary social engineering, since it claims to be from an anti-virus company that I'm actually familiar with.

Microsoft should be praised for IE.

A seemingly infinite number of flaws in a finite piece of code, this is quite an achievement.

Another reason Windows isn't ready for the desktop

[coupland]

I've been running Linux on my main desktop for years, and recently I've really been considering switching to Windows. After all, it's got some cool apps, and while I wouldn't call it "feature complete", I say they've done a good job of implementing many of the best features of Linux and OSX. However it's articles like this that convince me it's still a bit early to switch to Windows.

All told they've made some real inroads in servers, and the desktop experience is improving with each release (the current unstable branch -- AKA "XP" -- has implemented the theme concept long popular in KDE and Gnome!) however I think it's still premature to declare Windows ready for prime time on the desktop.

Install SP2 You Dummies

[lseltzer]

>>Is this yet another good reason for running Firefox?

Or Windows XP SP2, which is not vulnerable.

What kind of imbecil runs XP but not SP2?

Sensationalist /. headlines

[Swamii]

Woopsie! Slashdot forgot to mention the fact that this vulnerability has no effect on XP machines patched with SP2. Way to go Slashdot!

Will microsoft release a knowledge base article

[xutopia]

telling us to stop clicking on hyperlinks?

buffer overflow protection?

[hey]

How can McAfee have a simple checkbox that turns on
buffer overflow protection:
http://vil.nai.com/vil/images/vse80i- bo-config.gif

I mean if my program has a buffer and I want
to overflow it have can they stop it. The screenshot mentions APIs so make it just knows about the Win32 APIs.

McAfee VirusScan

[Vermyndax]

The *real* ironic twist to the story is that newer versions of McAfee VirusScan that Dell has been shipping requires Internet Explorer to be installed... and uses it to run the control center windows.

Now how's that for secure?

I may never, ever figure out the mentality of that decision.

Re:McAfee VirusScan

[donnz]

McAfee is a pox. It has the most useless update facility in the world that seems to rely on hopelessly long downloads of fixes to its own software (even if that particular program is disabled) rather than just updates to its virus databases. Oh, and it also murders the performance of any machine its loaded on. Grrr, McAfee, send your requests for references to me, please.

Yes, I was recently forced back to the Windows world for one mind numbing week.

until someone discovered a bug that redirects...

[slew]

until someone discovered a bug that redirects to a pwn3d auto-update site, click a button wait a few kb download and voila... Yeah that might not happen, but don't think it is out of the range of possibility...

Not as much of a problem though

[einhverfr]

There are a few design flaws in IE that make it a uniquely dangerous program to use to access the internet. These mistakes have, as yet, not been made by the Mozilla team. Perhaps we have learned a few things...

The largest problem (mostly the cause of spyware rather than viruses though) is the issue of ActiveX scripting. Because ActiveX controls are trusted on the basis of vendor signature, and because someone can force an old version to be downloaded and installed, it means that no security patch can protect you against a malicious site scripting against a bug in an ActiveX control signed by a trusted vendor. No security patch can be writte to do this without breaking *every* ActiveX control in the internet.

The second issue is that of security zones. This allows an attacker to exploit any flaws that come with the enforcement of such zones. This is an issue for viruses and spyware alike.

Now, it is possible that a new as yet unimagined sort of attack will eventually be possible against some type of functionality in Mozilla. At least one type has (XUL files spoofing interfaces), but if these become a problem, it is open source, and so you or anyone else can pay for somone to make a version with a different structure. If enough people switch, the process begins over again. But each time, I think we are safer.

SP2 immunity

[jaiyen]

For those who don't RTFA, XP SP2 doesn't appear to be vulnerable.
"Users who have installed Windows XP Service Pack 2 are immune to the programs that use the vulnerability, including the two new variants of the MyDoom virus."

Re:SP2 immunity

[bedessen]

Just playing devil's advocate here, but if there was a security vulnerabilty in an open-source project which affected older versions of the software -- but not the current released/stable version -- then this would be a non-story. "Foo v1.25 has a vulnerability? Well it's the user's fault for not running v1.30 which fixed that bug." But it's Microsoft, so somehow all the laws of software are different....

Re:Software without security issues:

[YOU+LIKEWISE+FAIL+IT]

#include <stdio.h>

int main(){
printf("Hello World!\n");
}

While your assumptions are most likely correct, complacency is the friend of the buffer overflow. Depending on your implementation of the clib, printf, usually considered safe, could possibly be a problem - particularly as it ends up using the locale system and the user settable LC_NUMERIC to determine how to represent numbers, radix, etc.

My favourite printf gotcha however is the seldom used %n conversion character - unlike it's brethren, this one writes data to the pointer in the argument list ( the number of characters printed so far ). This can be used to scribble over various pointers in the arg list and is why you should never, ever allow users to provide format strings to the program without vetting them first.

YLFI

Also: mozilla arent so aggressive

[steve_l]

IE is embedded everywhere in Windows, even when you bring up an HTML dialog box. Add/Remove Programs? DHTML. System Restore? DHTML.

Windows Update? Active-fucking-X. So unless you move http://*.microsoft.com/ into trusted zone (ramped up to medium security), you cannot get security updates without enabling ActiveX download and scripting.

Even in WinXPSP2, there is still that trusted zone that gives unlimited rights. Like download unsigned activeX controls without prompting. There is nobody I'd give that right to, not even myself. Yet they have it.

Plus all the MSN content pushes AX at you. At least Expedia are not that daft; you can shop there with Firefox. But check out a pure MS site
like the channel9 developer site; ActiveX, windows everywhere. No attempt made to evangelise to the rest of us :)