Slashdot Mirror
Extremely Critical IE6/SP2 Exploit Found
Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
They've also posted a test site.
No, you click it first.
delete IE?
or maybe install Firefox?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.
The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.
Even a fully patched sp2 is in danger. Good news for Firefox fanboys?
One would assume that any vulerability that could run arbitary code would be able to delete files.
We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"
Get your own free personal location tracker
Secunia Advisory: SA12889
Release Date: 2004-10-20
Last Update: 2005-01-07
[...]
2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections
OH MY GOD, THEY INCREASED THE RATING OF A THREE MONTH OLD BUG!!!! THIS IS TOTALLY FRONT-PAGE NEWS AND NOT AT ALL FLAMEBAIT!!!!
...Also, I didn't know Buggalo could fly.
Well, you've been lucky, one of these days you are going to run afoul of one of the more dangerous internets.
It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.
Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!
I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
/hug ibook
We'll all be lucky, because IE won't be updated to handle the newer internets until many years later. ;)
it's an IE feature.
Isn't it possible that this could be used to download and execute files from predetermined locations on the 'Web - I.E. CoolWebSearch hijackers?
.hlp files like it used to be? I don't recall any security issues with those.
Secondly, why in the HELL is anyone using HTML files for help documents? Why not just put it into
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Solution: Use another product. At least that is what their site said. They also mention workarounds, but that would imply that I have to work... hmmm, no I'll accept the risk and reimage the machines who are affected.
Pardon the technical terminology
With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.
I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.
http://secunia.com/internet_explorer_command_execu tion_vulnerability_test/
is a test page containing a link if you left click on it and a window opens your vulnerable (it didn't do anything in Firefox)
Blarney Quality Restaurant, Plants
I believe I'm safe. On one of them, eTrust Antivirus picks up on them. And on one of them, it doesn't write that folder to my drive. But then again, I think I have some stuff disabled.
Oh, and concerning that spyware/adware program Microsoft came out with lately. Ever wonder why it outperforms other programs?
#!/microsoft/bash
After today's pro-Microsoft articles, its about time we got back to bashing!
Yeah, well, I guess corporate IT depts are probably struggling with mgmt to implement company-wide changeovers, especially for all those companies that are Microstooges and have big service and standardization contracts, yadda yadda yadda. But for all you individuals out there who aren't experiencing the Browsing Bliss that is Firefox, preferring IE to downloading a small file and doing a simple install, well, I don't pity you any more than anyone who walks into a dynamite factory and says, "Man, it's dark, anyone got a match?"
Chr0m0Dr0m!C
You know what? I'll just stop using the internet. I'll just .................
What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).
All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?
Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.
although it requires a bit of messing around. IE - Tools - Options - Security.
select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.
select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.
This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.
Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.
Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.
Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.
Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.
I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:
. html/
http://www.sophos.com/virusinfo/analyses/expphela
EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.
This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
Scientists have determined that water is wet.
As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."
in the article up there...
a tion: C:\Documents and Settings\User\Local Settings\Temporary Internet
the link to
http://www.jmcardle.com/?postid=77
is a VERY BAD PUPPY. tried to crack my browser's head.
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Bloodhound.Exploit.21
File: C:\Documents and Settings\User\Local Settings\Temporary Internet
Files\Content.IE5\41AJW52F\jmcardle[1].htm
Loc
Files\Content.IE5\41AJW52F
Computer: MYPC
User: User
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 9 ianuarie 2005 12:45:25
Damn, another IE only website. It just shows that OSS doesn't have an alternative to IE.
The vuln seems to explout a .hlp file, I thought that was posted earlier?
... I heard of an IE/Windows vulnerability, I'd be as rich as Bill Gates.
Are you saying the exploit doesn't work? Certainly seems to for many posters here.
And neither does anything else!
What does this information got to do with the bugs he found on Internet Explorer? You know, even if you dig up his mother's name it wouldn't change the fact that he actually found some serious flaws in IE SP2.
I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.
The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.
So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.
Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.
...does it run on Linux?
"Derp de derp."
Mod parent down. It's a troll.
Moreover, the vulnerability can be used to delete files from the user's system
Maybe someone can write a worm that will exploit this "feature" that will delete IE for the user.
I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?
I use firefox to begin with only because it is as close to W3C standards as you can get now a days. IE6 like all the IE products released by Microsoft have had these problems with security. I have been using Linux (9 years) and Mac OS X( 3 years) and unfortunately because of my job and school had to use Microsoft. If anyone is surprised about this they should wake up. More people need to complain to Microsoft because as a business they will continue to slack unless consumers put them in there place.
Speaking about consumers my girlfriend and all her friends are not computer savvy all of them refused to delete IE and use firefox. [Note: 2 months got gf to switch from IE to firefox! Next step Linux...]. So telling people to use another product lets be realistic the majority of people that use MS and not computer savvy tell them to change is like pulling teeth.
Mostly due to inertia. Some jsut don't know about Firefox (remember Joe Avverage doesn't read /.) however many don't want to switch. We've had this fight at work with Firefox and Thunderbird vs Netscape/IE and Eudora. Used to be (like 5+ years ago) that Eudora was the recommended e-mail client. Not the case anymore, Eudora bites, IMO, and the new versions cost money or have ads, so the people are using v3. Users got to choose their own browser so it's split between IE and Netscape 4.
Well, all computers accounts are being upgraded, and most computers are being replaced, so this is a perfect time to switch. I mean why wouldn't you? The tech staff does all the setup, will answer any questions, and the programs are better. Well, there are a number of people that are just set in their ways and refuse to change. No good reason is given. Basically, they don't wnat anything to change.
For that matter we've had to force computer upgrades on come people. I mean most people would love to get a faster computer, however some are so set in their ways they don't want to change. We are forcing the issue on anyone with an NT4 or Solaris 8 computer and some of them are NOT happy.
It seems inconcevable to geeks, that ALWAYS want somethign faster, better, newer, but it's more common than you might think.
We keep hearing of new exploits, of new security vulnerablities in XP at least twice a week and at least 10 times more often than we hear about Linux.
But I just haven't seen a single vulnerablity report about Windows Server 2003. Maybe I missed them. Maybe the system is so little known that people don't use it and don't find bugs. Maybe the cases are swept under the carpet too fast... and maybe the system is just secure?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I am using XP with no service pack and still on IE ver: 6.0.2600.0000.xpclient.010817-1148 and the exploit did not work... :-/
:-(
boohoo for me
I'm a freelance PC repairman and get calls from average Joes running Windows machines. I'm devastated to see that regular users have given up. They are too tired to keep up with these security issues and have literally given up. They just let trojans invade their computers and have accepted the fact that it is just 'normal'.
Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test
that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'
Computer specs: iBook g3 800mhz...
I hope that helps a little
Thanks for the description.And that is exactly what I'd like to know.
In that case, you'll have to use the honour-system, and manually delete some stuff, and maybe write some arbitrary files.
Thanks in advance.
It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.
Ah... even scarier than I imagined
I know, i tried it. ;) Wine/IE6. Oh am I disappointed or what...
I just clicked the link and it downloaded the EXP/Phel-A virus (only when I use IE, not Firefox). Sophos Anti-Virus picked it up and gives this advisory.
If Sophos isn't mistaken, the Secunia site is infecting visitors with viruses?!
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
you're so clever. no one ever thought of such a witticism.
try this: why did the chicken cross the road? to get to the other side!!! hahahha!!! now i'm just as clever as you.
P.S. you're a faggot
FYI I pretty much never use IE so everything is on default setting.
is to disable ActiveX
Well, I moved Windows from D:\Windows to C:\Windows, and it is indeed a critical error - now my machine won't even boot!
Dear editors,
You are doing us all a dis-service. Surely there were more interesting posts than an minor update to a 3 month old bug report. If people want this kind of trivia then let them subscribe to a security alert service. Why don't you limit these stories to say a once a week bug round-up listed by O/S and vendor. Posting it as front page news is way to nerdy and troll like, even for me.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
There was nothing going on today, and we're quite bored. This was our only form of entertainment, and it has served us well. Please continue to post on this thread, as we laugh while playing you with our marionette. /. editors
/* No Comment */
Mozilla and Firefox flaws exposed
"The most serious flaw involves a buffer overflow bug in the way Mozilla processes the NNTP (news) protocol. The bug creates a means for hackers inject hostile code into vulnerable systems, providing they trick users into executing maliciously constructed news server links"
Of course half the problem with these kinds of 'update your software now' fixes is that so many people dont, even when its a no brain operation like using windows update.
And this is why I use Firefox.
They only care about criticizing Microsoft.
Note to zealots: if a Linux distro provided even half the usabilty (I.E. end user friendliness) of 98, much less XP, then I'd use it daily and install it on the computers of everyone I know. Unfortunately none of them do. So stop whining about "M$" and get your own shit in order. As it is you're already about a decade behind.
http://www.starnix.com/banks-n-browsers.html VERY comprehensive list of banks who will work with Linux -- which is basically the same thing. If you're browser agnostic, the OS shouldn't be a deal.
...this unpatched XP laptop is not vulernable to the exploit.
Guess it isn't as extremely critical as they say.
I am very small, utmostly microscopic.
they are a bunch of asshats
I had a similar issue at work. Happily, setting ffox up with the IE icon left many who didn't realize that a change had been made (they've just assumed it's an upgrade)
a working exploit on a fully patched system capable of deleting files on your system is news, even if, or rather because it is appearantly three months old. The fact that it sheds a bad light on a Microsoft product is, IMO, well deserved.
I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
What moron modded this flamebait? The parent makes an excellent point. The average person is still worried about viruses and attacks that damage a computer. He worries a virus could delete his Quicken files, but thinks it's safe to send his PIN to his bank's site because the little padlock appears.
Users need to be educated that real damage happens when their data are read by someone else, like phishing, datamining, and whatnot. Simple data loss can easily happen without malice.
Troll? How is this a troll? At worst, I would say it's a poor joke. Mind you, I laughed. So, to the mods of /., take the broomstick out of your rectum and laugh at funny jokes.
Dear editors,
I am glad I have provided some entertainment on a slow day. Now could you please return the favour.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Seems like there are still some idiots out there who continue to use Internet Explorer to browse the web. Well, being dumb doesn't hurt but perhaps this hurts... Fortunately humans have the ability to learn from their mistakes...
Plugins pretty much bust the browsers sandbox model. If I was a cracker that's what I'd be concentrating on, writing rogue plugins or trying to break the current ones. Plugins probably have the security as the lowest priority, expecially the spyware ones.
It downloads a malicious file to your IE cache. Unless you execute binaries in your cache often, I wouldn't worry about it.
Well, that really should only concern you if you have users on your computer that you don't fully trust. Internet Explorer, on the other hand, is used by 90% of the population, and can be exploited by almost any website. Which is worse, I wonder?
Absurd! What will do you when a new exploit appears that your Sophos antivirus doesn't detect yet?
:-)
Let me tell you: you will be screwed.
Switch browsers immediately!
In case anyone missed this, it was reported to Microsoft on 2004-10-13.
Three months later, no sign of a patch.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
In other news eating dog shit can make you ill..
This comment does not represent the views or opinions of the user.
creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.
I'll probably be modded down for this...
...(reported to Microsoft on 2004-10-13).
That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.
This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.
Been surfing enough porn to come up with his own solution to this mighty problem. :)
The source code for the exploit is all there. Use view-source.
I'll probably be modded down for this...
AVG Antivirus.
Ignoring the obvious biases, I would like to point out that IE/Windows is the only product combination that gets put through this kind of scrutiny with respect to security. The software has, and likely will always have, new bugs / exploits to be discovered, mocked, and patched. Other browsers / OSs will inevitably contain bugs / exploits as well, but the chance that they will undergo this kind of public scrutiny and rapid distribution of a fix is nill.
Anyone else think this came just in time to remind those who got too smug regarding the recent linux local exploit? ;)
I think the main difference is if you run version 1 of Firefox you aren't affected at all. It is also extremely difficult to exploit this bug, if you, indeed, can. This IE vulnerability, on the other hand, is valid on a fully patched system, and easily exploitable.
The other hole, by the way, doesn't work so well if you've resized your download window (since Firefox keeps the old download window size and position) at any time, or you have a different theme installed.
I think this is just a case of "RTFA", though you're the one who supplied the article.
There was an article about those flaws.
which only one was nearly as dangerous as this but was fixed in the current mozilla, firefox versions.
while (!asleep()) sheep++
> The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.
In fact, rendering broken code is bad. If no browser rendered broken pages, all pages would be correctly built, and all browsers rendering engines would be 50% smaller and more efficient.
Secunia says 'Solution: Use another product.'"
:-/ Otherwise it'd be scary to use XP for gaming...
Sometimes these exploits can target you even if you don't use IE due to the integration. Hopefully not the case here.
Beware: In C++, your friends can see your privates!
what a surprise?
that's ok. they're not needed to complete the creators' newclear powered (this stuff is unbreakable, & wwworks on several (more than 3) dimensions) planet/population rescue initiative/mandate.
what is alarming/dismaying, is the length of time that we've allowed the nazi execrable, aka, the walking dead, to increase the panet/populations' crisis mode, by continued glowbull warmongering. it certainly would appear to have the creators peaced off? lookout bullow.
take heed. consult with/trust in yOUR creators, disempowering (usually with yOUR help/cooperation) unprecedented evile since/until forever. see you there?
I agree with what you're trying to say, but why do you think Antivirus or firewalls or anytispyware would be helpful to a security exploit since:
a) this isn't a virus
b) this is using port 80 (i.e. http)
c) this isn't spyware.
I think you're trying to say "I have every bit of security I can think of installed, and still, its trivial to get past every defense".
At least I *hope* that's what you meant.
Take my younger 18 year old brother for instance. He's hooked into Internet Explorer and MSN like a Great White on a bloody fishing line... no matter how many trojans he seems to pick up - the last one was very nasty, lots of random .exe's dotted around his system - he still won't change. I say "You shouldn't have to reinstall XP every 2 months", he says "I like a clean system!". Talk about banging your fucking head against a brick wall
...Telnet from a CMD.EXE prompt, since even HyperTerminal has vulnerabilities and most of the alternative products are communists (although maybe that's just how Bill pronounces "communities").
If you want to poke fun at the whole idea, buy one of these (buttons coming when I can figure out what to fit in a 2.25" circle).
Got time? Spend some of it coding or testing
I'd mod that up if I could. AVG rocks. No bloat. Also you might want to try clamwin, but AVG is better imo.
--
The last digit of pi is four.
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.
If you'd like to see it in action, go to Trendmicro.com/download and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.
This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.
~Will
sig?
He's not an MSCE yet. He failed TCP/IP - he's not even bipedal!
It would be cool if it didn't suck.
http://free-av.com/n _home.html
http://www.avast.com/eng/dow
I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.
It's not offtopic, dumbass. It's orthogonal.
I just tested on IE6 SP1 which hasn't been patched for a year or so and the DEFAULT SECURITY SETTINGS prevented the exploit from running. Microsoft wins, moronic linux zealots who have no idea what they're talking about lose. Really, are you going to fault a company for the default security settings, the settings which most people have set, for WORKING PROPERLY?
Alwil Avast antivirus http://www.avast.com - I've been using the free version for about a year now, and decided to start buying there Professional version it is that good! avast! 4 Revision History: http://www.avast.com/eng/av4_revision_history.html
/. is good for you.
IE exploits were changed from "Critical" to "Extremely Critical" after those exploits discovered in Linux's kernel just the other day.
Not everyone likes onions - Now a parfait, now were talking. everyone likes parfaits!
OK, I can see the exploit being news, but essentially nothing has changed since it was reported on 2004-10-13 other than some updates to the description and a new ranking of 'extreme'.
What's really funny is I warned a vendor last year that security issues related to IE were going to be an ongoing problem and they should look at moving away from the IE only application they were providing. They told me, less than politely, that IE was the number one browser in the world and I could basically STFU.
Sure glad I saved those emails....
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'd combined those two some time ago to make pinwheel of death. Hadn't thought about it in terms of a beachball before...
creation science book
Secunia says 'Solution: Use another product.'
:)
It seems like everyone is on the "Switch to Firefox" (I realize they didn't specifically name Firefox) bandwagon. Which I cannot be wholly sure if I like? Blind allegience to what happens to be my favorite doesn't make me any happier because the real goal is to educate.
If everyone mass-switched I fear it will belittle the point. I believe people need to SEE why they should do something, not just do it blindly. If it takes for them to be affected seriously, so be it.
i.e. You never truly understand the power or usefulness of saving every few lines of code until it saves you.
When modding "Informative", please make sure it both has a source and IS actually informative.
I use Firefox or Mozilla and am in the process of weaning myself off of Windows... but am I wrong in noticing that a certain amount of open-source propaganda has found its way into these security advisories?
I've decided to try Anti-Vir (free-av.com) for a while, I heard good comments from other people too about this one. At least it seems to work fine with thunderbird too.
But the main point of my original comment was that McAfee decided to use Internet Explorer itself, one of the main sources of leaks and infections, as part of their own anti-virus product!
This must be the result of someone having some serious brain damage over at McAfee's.
Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?
Warning: Opinions known to be heavily biased.
As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).
Only if your default is to not have SP2 installed. RTFA.
Since Microsoft recommended everyone upgrade to SP2, and since SP2 INTRODUCED the vulnerability, I'd say your system isn't "default", and most people, by default, are vulnerable.
"Linux zealots", indeed.
Kythe
The code for the web page is designed to specifically target Windows XP SP2. The code modification required to make it target multiple versions of Windows is trivial.
This reaffirms the adage that no software is "absolutely" secure/bugfree - just relatively better/worse than other software. Pick the one you feel is more secure. Both Firefox/IE-SP2 will have flaws.
Btw, I must admit that I use Firefox as my primary browser and this did not affect me.
I don't think something can be "extremely critical." That's like calling something "very unique."
LOL. Assuming they don't live under the bridge, I think someone jumped to conclusions. That never happens on Slashdot thank god. <grin>
Your use of Proxomitron caught me attention. I use it regularly at work. (Probably typical scenario: developers use Firefox for regular use, but company mandates IE, so we target for IE... slowly getting all developers to `test` in Firefox too.) The log window has helped the team debug some odd session issue. There seem to be some good Linux progs to do the same thing, but I haven't found a Windows program that holds a candle to Proxomitron. Real gem. Did the programmer ever release the source?
What's the user-agent stats for views of this news item?
:)
If I'm not mistaken, not long ago, IE was still the browser of choice for slashdotters....
(submitted using Firefox
Or just use Maxthon, which adds tabbed browsing popup blocking etc to IE. And I tried the vulnerability test with Maxthon and wasn't vulnerable. See, you don't have to use Firefox, you can stick with IE and just get Maxthon. Microsoft all the way!
AVG Personal Edition
DJ kRYPT's Free MP3s!
With all these exploits and viruses/worms out in the wild, would it be practical to provide computer insurance?
user@host$ diff
The flaws posted on Firefox/Thunderbird are, and have been, fixed in the current versions. Those flaws only affect the non-1.0 versions of both pieces of software.
Now, knowing that one could say "Well why on earth was that a big deal then if its already fixed?". The answer is a lot of businesses tend to stick to something they know works. Which means they sadly tend to not update as often.
So, it was a recent enough flaw that, despite having already been fixed, needed to be made known. All that said, a lot of the articles on the flaw were misleading because few clearly mentioned that if you had the latest version, you didn't have that problem.
As for IE, its real problems these days are:
1) ActiveX
2) Integration with OS opens up too many potential pitfalls
That's it really in terms of security. And, as has grown increasingly obvious over the last few years, this isn't a problem that is going away despite this endless patching. Until MS comes up with a new and viable alternative to activex, and until they seperate the browser out from the operating system, they will never be able to truly secure IE.
Is anything ever perfectly secure? No, everything has some sort of flaw somewhere that has any level of complexity to it. But, as in the case of many alternative browsers, you can make them secure enough so that any secondary watchdog programs(spyware catchers, anti-virus, etc) can nail anything that slips through the cracks.
You are who you are, let no one tell you different. But, never close your mind to a new point of view.
Try AVAst - it has free "home" version for home/uncomercial use. Free version goes without some advanced stuff (like vorking with MS Active Directory, reporting etc.) suitable mostly in networks of installations not single computer. AVAst interface is a bit ugly (but can be skinned), but at least it does not depend on retarded mshtml.dll controls. And it's detection engine is one of fastest (I cannot remember article with test right know, just belive me :))...
http://www.avast.com/eng/down_home.html
Then watch as people bitch (or sue!) because IE-specific ActiveX apps such as Windows Update and CartoonNetwork.com's Kids Next Door: Operation BEST stop working. I'll take an educated guess that at this point, it'd be too much of a pain for Cartoon Network developers to reprogram a 3D game such as Operation BEST to 1. be written in Java rather than C++ and 2. work with Java 3D's scene graph model rather than the Direct3D model that the current client uses.
Someone modify the white-hat code into some other white-hat code...except instead of just doing a mkdir or opening IE, show a typical joe-blow user exactly how dangerous this really is. I don't know how... perhaps display a dialog box that says something to the effect of:
And have the program put a Firefox link on the user's desktop.
Now I realize that this may make some people cringe: "But you're making people think that Firefox users are hackers!" The idea is not to send anyone the link to this quasi-malicious page. The idea is to put a link to it in your AIM/Yahoo! Messenger/forum sig/etc. Show it to friends. Word of mouth is incredibly powerful, as you may know.
IWARS.
People, in general, disappoint me. Politicians even more so.
Microsoft already indicated they will release 3 extremely critical bug fixes on Tuesday.
And now we have 3 extremely critical vulnurabilities that were told to Microsoft months ago announced today.
I personally find it despicable that Secunia felt they needed to release this info before the path comes out Tuesday. They expose a lot of people to potential attacks just to get a little press.
The linux exploits posted a few days ago are just as critical, seems like the editor just wanted to lash out at MS after linux getting some flaws. What is this, gamefaqs?
Didn't think that was rocket science.
I can easily see why you would be concerned about ActiveX in your browser. But why do you need to switch browsers to alleviate those concerns when you can just switch off ActiveX in IE instead?
Jeez. People are so quick to jump on IE for being insecure... The workaround for this "critical" flaw is to a) disable drag and drop in the browser, or b) up your security level. More features == More insecure. Duh.
I'll keep using IE, just the same.
And if you route your direct deposit to them
I make most of my money from doing odd jobs for individuals or contract jobs for small businesses. If they write me checks, I can't deposit them in any ATM in town. How can I get people who typically write me checks to set up direct deposit?
This exploit uses the the following file: c:/windows/help/ntshared.chm. Maybe a quick solution would be to delete or rename this file?
http://saveie6.com/
Same here. Scary shit.
Many slashdotters reading this at work could have their jobs on the line or could infect their pcs.
I think emailing cmdtaco and perhaps puting an update on this story saying the site will upload a virus to your system might not be a bad idea too. After all slashdot could be sued as a result.
Nasty stuff.
http://saveie6.com/
There was another advisory about a month ago mentioned here on slashdot with hijacking someone visiting a site using activeX.
my guess is a cracker saw this story on slashdot and is hijacking the communication with the activeX controls with the virus.
This bug should have been fixed already.
http://saveie6.com/
http://shit.slashdot.org/article.pl?sid=05/01/09/0 737248
Please let us know.
http://www.people.virginia.edu/~pg8p/
It downloads firefox, and begins the installation -- that's it.
I could've very easily move iexplore.exe and adjusted icons and everything, but let's play this the white hat way. Enjoy amigos!
yeah, but who wants to waste a mod point on an AC? It's not like his karma was damaged or anything.
Why are people so histerical and scared of using free software ?
Because they have kids who play PC video games, and there aren't nearly as many free A-level PC video games as proprietary A-level PC video games.
It's either critical or it isn't. "Extremely" is redundant.
That's pretty amusing. A virus scanner that relies on a component that may be a vector for viruses and trojans, and a known vector for spyware.
Embedding IE is simple for the programmer, but the security settings are so confusing for the user that it's possible to inadvertantly tighten security too much for local applications, which causes the errors that you speak of. After the existence of security holes themselves, I think the next worst part about IE is its incredibly confusing set of security settings, especially on the Group Policy side. It's difficult to secure something when you don't understand how its security works.
For a good virus scanner -- my best suggestion would be to bootup on a Helix Linux LiveCD and scan it using clamav.
/dev/hda1/; clamscan /dev/hda1/*
open a terminal:
sudo su; mount
Symantec AntirVirus Corp edition caught this no problem. Symantec had this one taken care of since Dec 25th.
Bloodhound.Exploit.21 is a heuristic detection for files that have been designed to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability (BID 11467). The vulnerability is still unpatched by Microsoft as of December 25, 2004.
ActiveX is the only real thing keeping anyone intelligent using IE *at all*! And let's face it, only someone who knows what they're doing even knows *how* to disable ActiveX.
Because some essential but stupidly-designed sites refuse to work without ActiveX.
So if you're going to run a browser that won't work with some sites, why not just switch to another browser altogether?
There has to be a way to prevent things like buffer overflows and stack protection.
Yes. It's called Java technology, and it does so without any sort of digital restrictions management. However, the Firefox team still wants to target machines that are too slow or have too little RAM to run Java programs effectively.
There is also a Windows wrapper for ClamAV called ClamWin over at SourceForge:
http://sourceforge.net/projects/clamwin/
Which has recently been renamed AVG Free Edition
The ______ Agenda
It might be in your bochs. If it works on OS/2, it's got to work for you!
Don't forget to save an image before you blow it up.
Friends don't help friends install M$ junk.
The real issue, as I see it, isn't that Internet Explorer is fundamentally flawed. The problem is the way that Microsoft installs the thing by default. The security zones and options give you a lot of flexibility, and allow you to take advantage of ActiveX controls but that should obviously only be done on sites that you explicitly trust.
The default configuration for IE should be that the Trusted Sites zone should be setup like the Internet zone is now; the Internet zone should not have ActiveX enabled in any form, and scripting should be limited. Any site accessed by IP address and not a domain name should be automatically considered to be in the Restricted zone where everything is disabled. No changes to IE itself, just how the security settings are configured by default, and you'd have 99% of these types of exploits go away. If a user wants to access a site that has all sorts of ActiveX scripting and so forth, then they can decide if they want to add it to the list of trusted sites.
Why Microsoft refuses to do this, I have no idea.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Albert Einstein
http://www.securityfocus.com/bid/12186/discussion/ :
n /advance.mspx/. No explicit details have been posted, obviously to prevent script kiddies from taking advantage of the vulnerabilities.
"Microsoft has released advanced notification that they will be releasing three security bulletins for Windows on January 11th, 2005. The vendor has not enumerated how many vulnerabilities will be addressed by these security bulletins, nor what specific components or platforms may be affected."
Microsoft itself has announced this as well: http://www.microsoft.com/technet/security/bulleti
If you're concerned about the time for these vulnerabilities to be addressed, remember that the SMB vulnerability in Linux was not patched for over three months. Patches take time, particularly when faced with a huge user base (something Linux developers need not worry about) and a huge existing software base (again, something Linux developers need not worry about).
Microsoft takes security very seriously. Come on, patching IE is against their needs. Their entering the AV and AS market!
eKlode your senses.
Even better, what will he do when someone modifies the exploit so that Sophos misses it? I assume Sophos only sees the original HTML, not every intermediate call to e.g. eval(), so it should be easy.
The shareholder is always right.
to me always implied deltree /y c:\*.*, so deleting files is nothing new, we are just lucky that most computer vandals are not complete computer anarchists.
Oh well, what the hell...
Just when I switched back to IE after learning the 3 new mozilla vulnerabilities... *cries*
I keep telling freinds and family about the danger of MSIE use , Do they listen ? no. Ive wasted Countless hours fixing peoples systems and clearing out mounds of malware,Straight after i give them a little talk about why they should only use MSIE when They have no other choice(Win update or some sites). I go into depth about why its a Simply a bad idea Do they listen... No. So i continue waisting many many hours of my life sorting out peoples PC's Whats worse is these people have children And the kids see the parents using the software and slowly they become addicted to using it, weening them onto firefox gum is tricky they dont want all the benifits(plus some) with non of the major risks I go into depth about the many pc health risks such as Impotent conections and High bug presure 'Its time to think of the children MSIE may make you look big and cool but lets not give in to peer presure. Remember people if you want your conection to live to see your grandchildren on your messenger service and not have your zombie windows pc corpse choking at the first sign of a animated gif Well i better stop my rant on doing things that are bad for your health*Lights up a cigar , and downs a beer* Ahh now thats good hipocracy
I have a SP1 system with whatever ie version comes with it with only the default settings in it and I couldn't run the active x things at all because if the *deafault* security settings
I do use FF though so I'm just peachy
To prevent it from spewing rotten eggs all over the neighbourhood ? Hmm, I'd really have to think about that.
In Soviet America the banks rob you!
possibility?
-The Royal Jugglist
Be nice to maybe build a mozilla install using something like WinInstall LE, and when someone browses to your malicious (?) website, install mozilla and remove IE, since they're not smart enough to have a secured browser anyway!..
Making the web a safer place!
Solution:
Use another product.
This solves a lot of problems.
Just like I don't care if my food has rat droppings in it, or my air has chlorine and mercury vapor in it. I mean, a person's health, a company's finances -- these things just aren't important enough to worry about.
HOLY FUCK, DUDE! FINANCIAL VENDOR?!?! Just how much borderline criminal-irresponsibility do people have to put up with, before they get the idea to .. oh, I don't know .. CHANGE VENDORS?! Your vendor has basically said that as a term of doing business with you, they need to have the ability to run arbitrary code on your system, have access to all your files, and have the power to destroy anything on your machine. You financial vendor says they won't do business with you, unless you give them the ability to flash your computer's BIOS. They won't do business with you, unless you give them the ability to read all your stored emails, and send email from your machines.
Sane?
So um .. perchance could you please share the name of your company? I need to make sure their stock isn't in my mutual fund, since this company obviously isn't in the business of making profit.
...except that you're not.
There has been a vulnerability, but it was never an exploit because no one ever actually made an attack with it.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Was anybody surprised that some other bug was found in M$'s swiss cheese?
I run linux and windows. Looking back to the nyah-nyah-told-you-so game going back and forth about linux vs. windows vulnerability. I think this is another point for the linux side. Remote exploit where hacker can delete files and trash o/s is much worse than local root privilege escalation.
People made a point about Linus being made aware of the problem and the inaction for 3 weeks. But this apparantly is 3months old, patched already, and still a vulnerability.
I'm not trying to say linux is so far superior. It's evident both platforms have issues. But it looks like the Windows side it much more dicey. That said myself and everyone I know has not suffered problems in Windows. Don't run IE. Duh. It's not impossible to run a secure Windows box, and it may still be easier to do than run a secure linux box. I'm not going to pass judgement. I've had major headaches and complaints about every computer platform I've ever run. Doesn't matter what choice you make, you will have issues and they will suck. Apple zealots don't lie. Mac has issues too.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
And most ominously, it means that that company has control -- they could use their vendor lock-in to kill actual open standards (by not supporting them), create other proprietary standards to lock people in even more, and maybe even acquire enough power to get laws passed to legally require the use of their software! That would open the door to even more fun little horrors, the least of which would be taxing the use of the standard.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Security Update for Windows XP (KB123456) A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Extremely Critical update
Security Update for Windows XP (KB123456) A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it and subsequently gain full control of your mind. You can help protect yourself and your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
That link infected me also. I don't have SP2 installed because it doesn't work with some Athlon 64's. Any suggestions about dealing with the virus? I haven't rebooted yet.
This looks pretty serious too:
http://www.securityfocus.com/news/10248
Why no headlines?
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
But I use Mozilla... not IE. Snicker
http://www.clamav.net/
Its database only has 29k+ definitions, so don't expect too much. Hoewever, it's Open Source, and could use the support. Clamwin is the Windows version.
http://www.clamwin.com/
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton.
I really, really agree. I remember the gold old days when McAfee was an excellent product and a lot closer to being actually free. Norton was always up and down, but used to be better. But for a long time, I've found them both really disappointing in both how much they miss and how many hassles and slowdowns they create.
TrendMicro products are great by comparison.
They also excel versus a lot of startups. A while back I tried a Panda anti-virus package (so I like to check different products, don't flame me for it). It was a fair/mediocre anti-virus product, not dramatically better or worse than Norton, for example.
But, I made the mistake of testing their firewall product that came with the install. I keep hoping for a software fireall that actual works without breaking everything or causing tons of hassles to use on client sites (but never have).
Anyway, my system started slowing down, hanging, and blue-screening at random. I thought I had a virus. I didn't have a virus. I had a firewall. After about 12 hours of hell, I eventually diagnosed the firewall as the source of the problems. What a piece of crap! Inspite of all of the anti-Microsoft retorhic, its pretty rare that I find anything remotely reputable that will consistenly bluescreen 2k or XP, excepting really crappy device drivers.
Anyway, that's sort of a tangent, but the point is that there is a lot of crappy AV software out there, and you're TrendMicro recommendation is excellent.
Oh, one other thing, has anyone else notices how many anti-virus programs no longer include a memory scan? What the heck is up with that? Why even bother trying to find and clean files on disk when there could be something in memory working against you. Especially since a lot of spyware isn't fair from a virus in action or effects, and so many anti-virus programs skimp on checking for spyware and adware installations, including old, common ones that really interfere with system usage.
...and patched the same day.
The difference between free software and the proprietary stuff: if you've got no plausible deniability over faults, you tend to own up to them quickly. Not quibble over whether it's a bug or not, or how critical it is. And you fix it.
If you really want to kill a long, rainy afternoon, buy Jeremy Allison some beers and ask him about the undocumented bugs the Samba team knows about in CIFS, but, because they're nice guys, they're not holding MSFT's feet to the fire over.
IHBT, IHL, HAND.
What part of "gestalt" don't you understand?
...welcome our virus-finding, dump that rat bastard microsoft overlords!
The local exploits effect me exactly how? Nobody uses my system locally but me. Now since I don't "contribute to the cause" I'm a cheapskate? Wow. I would have thought that term applied better to people that run warezed copies of windoze, not to me, who actually wants to run a better system. I've probably actually spent more $$ on Linux than most have on windoze (Caldera was my distro of choice some years back, and it wasn't cheap).
Clicky.
I have been using Firefox as my default browser for 6 months. I should have mentioned that in my post - but I guess I take for granted that self respecting slashdotters would not use IE :-)
Sophos saw the cached page even though the code was never going to be executed. I believe in a multi-layered defence - I count 5 between my filesystem and the net: firewall, http proxy (privoxy), a better browser (FF 1.0) running without admin privledges & anti-virus. All of these bits help.
vnxcwvcs wovxm muxw xosxmn voouvcs ssvrnns awrsmwa e
xcrmmam uswoea exnxe nerw cruancv ver oxunro acnmes
mawnvw uscr xmmsxur wmuoser rwnrne wn cucacar wrcus
uvawar rmsso vnae s u x mcsesru
xwwenx ewwusmwx x o w w nossxve
aesrurm ccaexuu w a a u vmcvvnm
wucecnw wsccea ewxau eerrcuw unuu vvvcn erxxnxa
cvcxvorm auvsv vosnu rawccx vceamw uvacencr mnxu
nexaxw xsaxweac vnuev csmo ouxwwm rerso eevoau ooso
vvemcow mxvmnoo smuou sswen maemomv urrerc aewssnw
ewareacu surar ssm naaxro acvnx rvrvmns vromwr usxse
uevaeou suxenu ucssuom nwrcvcua aeoccos vmueom
ncwnn weumcwv nauas o m xuwcrm waer wouwsw
munnmcs ocvvo rnc v m ocevne ccoc wrvme
rarna xeecox rcn e a ewaxw mxew xsmw
svcxc nesccue a usavce soeexce uneoxr amrwrne
ucscu cnvrcma a usuwucur xuruwnuee waruc nwcawcae
ewxmm xseuurva rraomrman aeowun svv voseac ccvmeu
ucamn cvrcnnwu eoxscavcr wcscm semc wxuxcoex unao
uuwxsa coamsmx eewcnexem arrnwmawe novonsmu xaov
xnmamve xooouss vcsnsoxno rnaouaoa neuoxw rssausv
xxmrua xavuxawa ervsvsvx wcen vvnsu mxan vwoc
vwncu ancesuw cn vomoms w ncwaxaxx auwannu
urcun nnwnnus norw vuera u mrmcewu vnesmw wa
acswwax meavw mocnevo new c ccemce senaxs acxsx
xcswuw cuvru erecsnr aoruo cansew nwrawxs vvuuo nmxm
rowxvcwo rceau cuvxvurw v awnccmm sexevuv vmr
meecrovs vaaam ecocmuo o mmocvu eonso wevw
uuvwv mrev ueme ccxenxx s rwoasc morawnnc
cmavmmmr nenrnx vrxwavv r ovrmxaaaa awucm
mrvxom umwnexso erscmmwn xrnon rcwua oeacraem
caawe mxnavwvc xwxeouna uaoasas nvvvx omaexae
vwmssuo sawxcs usvnurvu nvcemco ncevrr rnocwr
mcsoac wsmeuxn rmewvrv umvuewn xmcrxrv wswnr
manncu vxnwnmx ceeuswn cawosw ueruowcw easru
ccvrnovo svurnu soour wcoexs soxnc wmrcvuxr
acsxv vnrmsx na w nvsac svuwnu msvmec
vnrrunxa oovrmuo v erwcne vveacxw nrmrn
vxurws wourwv eurn scosans veaaer axasem eavos
sxorruwc swvawso xrwer vuwmw rnmxxue uaxrxne ammrvvs
ruuwmc smrwo ecenw cvssw asvr naemaes xmosraer xuao
eeuwex easaue vnens xxneaa rseeurm mu xowvx nwaexns
ecsxec crarvcr on w a c neoxava
vemacm uuwovmvs n a s v ewccvve
oosvemum aaorxc m c m x avnureo
rcvvcos urnmxs neasocve uvevm nuu vcnnexx vacxa
eevouu nrarrox amrsw vrusao aamsxw nnnesm cwaxer
rwxacarc mwumxn crmcw seannx rcucrwm wearmx vvcosva
wsmsmwax wuaoav cesuwemx wnex rnxumua oscrx awuuxa
uvmuns xvxsr cuenu usnwcox wennw xamv raon xmaow rxa
xvwcov oxneonx aoacre eewr swrnsu ee sevecrmx cvce
xvosmmx uerrcm s a a nsssax vv
vwaaxe mmvncas e u c cmasx wm
nwcwvmx vausma o s m uxswv xe
vcxsv rvcxeuvn a m v nnmoww sc
enwnnnv momosn mwaessx xesmunm vaem wcam sxcr wcsmn
saasve mmumwws evvvwe wexvmns areves avecs xaxsevw
sxcser awasmwu n m c xossuenx oumv
xossmn aemwuew r w o uecur wxnoxmu
srewc vncsmscr c m v ovvroseo xucv
axumoumo uussc e c a rooaeca aanrr
nnwwsecv naesa ooecxm urmawv urrc soomomsm srswcvr
uvwsawo nnerev vxerxx easc ewcuvruu xewscse wcxnmxw
aaeovvo mmsua vromam cowm waxew rsm xeaxeevn uuwre
sxsnea rowrwo ewrxva naurn svaawxco onmuue vcssow
arvnxr uxco snuo crcwue msumxxn xcm swusx umwwwvx
wevxocs oxvmum s e a cnuucro aswcm
ammov rweravmw a m o mccxmsow ssmsm
nxummmum neeea u r r enrnwvn excxoos
ruuxxsm acwsva v e v wrwuamsm orsnxunm
csxrca vuvvoaw emsexno mncsrwv venv wsevwr xuxwxrrw
xxwxww wsweouo ovrv avrv nmmecnmn rscc unsmwx
xunu v rewuxa vxxxw o csrons ecuwsm nnv
ev cmrraco meee u scusam xorxrr re
a wowvwwwso vr e c uruunvum nnnwwv
o xxnenronm w nnxvcr uoaom scwvumse
u onxvwxanm xuu rrmnxxw sucwr voxesoo uasue
e omnxaaxr sanx usxucca rruuxw onawewar xwms
c reonoonv vwmu xnnsunc monxwn srevcw smrmeu
r vcoreu xanev amaueecn ws nasrn cxrmame
e vereo crwcem wcrnru aoavxvex eunxw
aw c wrsencwn e vvuencr voecaaav
vsu s vmacrn rxo x e se smwom
Remember when the United States Computer Emergency Response Team (US CERT) recommended using against using Internet Explorer? When that happened Secunia issued a statement essentially defending IE, saying it's problems aren't that bad. I promptly fired off an email (mainly an angry rant) about "How can you say that? You of all people should know that using a different browser is a good idea! It's in your interest that your customers use IE and have troubles!"
I got an email back saying that there are always vulnerabilities in everything, CERT went over the top with their advisory.
Definitely go with Trend if you don't mind paying! The best free one I think is AVG (www.grisoft.com)