Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extremely Critical IE6/SP2 Exploit Found

Posted by timothy on from the but-don't-worry-they're-on-it dept.

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

32 of 595 comments (clear)

  1. Delete files? by lachlan76 · · Score: 3, Insightful

    One would assume that any vulerability that could run arbitary code would be able to delete files.

  2. A worm that deletes everything. by caluml · · Score: 4, Insightful

    We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"

    --
    Get your own free personal location tracker
    1. Re:A worm that deletes everything. by Neuroelectronic · · Score: 2, Insightful

      Such a worm wouldn't spread very far...

    2. Re:A worm that deletes everything. by LewsTherinKinslayer · · Score: 5, Insightful

      "We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people""

      Similarly, we need a firebug to go around lighting people's houses on fire to show how having smoke detectors should be a high priority.

      I realize you're not being 100% serious, but this reasoning is stupid.

    3. Re:A worm that deletes everything. by tom1974 · · Score: 5, Insightful

      That would make keeping your computers patched a high priority for most of the users.

      What has that to do anything with this story? RTFA and please stop blaming the user for everything.

      Running WinXP SP2 and fully patched system. I run Norton anti-virus, spybot, Ad-aware and now MS Antispyware and enabled autoupdate.

      Checked out Secunia, ran their test and my system was found vulnerable.

      What more should I patch?

    4. Re:A worm that deletes everything. by Anonymous Coward · · Score: 2, Insightful
      What more should I patch?
      The OS! I'm serious, when will people realize this: You are running a fully-patched system, with an antivirus, 3 spywares detectors and enabled autoupdate. I have Li**x and I need nothing, I work with it, and it works as expected.
    5. Re:A worm that deletes everything. by skiman1979 · · Score: 4, Insightful

      It's a shame that Windows users need to install antivirus, spybot, ad-aware, and other scanners (and run them on a monthly...weekly...daily basis to keep their computers clean. Also, don't forget about regedit. Seems Windows registry likes to corrupt itself. I dread the day that Linux gets to that point.

      --
      Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
  3. Re:Heh by Anonymous Coward · · Score: 0, Insightful

    A fully patched and left wide open XP/SP2 might be in danger.

    But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected. If you're hit by this one, you have only yourself to blame. All of the above should be installed and working before you go online.

    Common sense is the biggest protection, people.

  4. No explanation about what the test does... by kiddailey · · Score: 5, Insightful


    What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).

    All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?

    Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

  5. Heh. by BJH · · Score: 2, Insightful

    Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.

    Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.

  6. Re:Heh by Anonymous Coward · · Score: 3, Insightful

    It's amazing how the WinFanboys can live in such denial. It's like people you know who live in a really bad neighbourhood and deny there's anything wrong. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours like sensible people you're perfectly safe". It's the old "Apart from how it's broken, it works perfectly" line. Used car salesmen use similar techniques. "She blows a bit of smoke and rattles some, but you know this was one of the best models made. They don't make 'em like they used to (watch out for the leaky floorpan too)"

    The blame-the-users mentality also serves to protect MS itself. If the general consensus is that users are at fault for succumbing to vulnerabilities then MS has no responsibility to fix it, and is under no pressure to do so.

    Keep sucking it up will you. There's a good boy.

  7. BFD by Anonymous Coward · · Score: 3, Insightful
    I don't see what the big deal is. Provided that all of your users are rocket-scientists that never, ever do anything stupid that allows any hostile code access to their machines, then all your company's intranet sites should be safe and aren't going to include this IE exploit. IE will remain safe to use.

    As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."

  8. Re:Test site by m50d · · Score: 2, Insightful

    OK, you find me a more critical vulnerability. One that allows nuking the bios maybe, but other than that I can't think of such a thing.

    --
    I am trolling
  9. Re:Secunia? by Anonymous Coward · · Score: 1, Insightful

    What does this information got to do with the bugs he found on Internet Explorer? You know, even if you dig up his mother's name it wouldn't change the fact that he actually found some serious flaws in IE SP2.

  10. Re:Fairly simple solution by nagora · · Score: 3, Insightful
    What the hell is wrong with people?
    1. People really do fear change,
    2. Microsoft has succeeded in producing a massive lock-in with their products,
    3. Many people, wrongly, think that a "big name", whether in computers or cars or whatever, means big support and that small companies can not have the resources to make "fully functioned" products. The trick here is that many of the extra functions were added to push the upgrade sales, not for any utility,
    4. Many people are stupid,
    5. Large companies get quiet "bonuses" for standardising on third-rate crap from Microsoft (and Intel, for that matter - I was offered free hardware if I would make our company website slower, to encourage upgrading of machines),
    6. Many many people have too little time to bother finding out about the alternatives.

      That's part of the answer, anyway.

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
  11. SP2 - any effect? by rseuhs · · Score: 2, Insightful

    It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.

  12. Re:Test site by farnz · · Score: 3, Insightful
    It allows a malicious web page to do anything on your system that you can do locally; if the user you run IE as can do it, the attacker can do it too. So, if you can read these critical files, the attacker can, too. If you can modify them, guess what? The attacker can change them too.

    If I were a black-hat planning to exploit this vulnerability, I'd put a remote control program like Back Orifice and a HTTP tunnelling program onto the web for BO to use for connectivity. Then the exploit downloads and installs them, and I have full control of your system whenever I want it.

    --
    I appear to have a blog. Odd.
  13. Re:Regular users have given up by randallpowell · · Score: 2, Insightful
    I, too, am a freelance PC repair technician. People now think that spyware/worms/viruses/browser-hijackers are a normal part of using the Internet with Windows. Some try to use security software but it's never updated and never configured right.

    I did get a bunch of Ubuntu CDs while their free and give those out to anyone that is interested in Linux. Especially after I answer the question, "How do you deal with it?" with "I don't. I use Linux."

  14. Re:Heh by R.Caley · · Score: 4, Insightful
    ...But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected.

    And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves. When you saw those precautions advised in the manufacturer's literature, would you buy the car?

    --
    _O_
    .|<     The named which can be named is not the true named
  15. Re:But can it be used to... by l0b0 · · Score: 2, Insightful
    Recipe for an IE-free world:
    1. Install Firefox
    2. Install an IE look-alike theme
    3. Replace the IE executable with sth pointing to FF
    4. Rejoice
  16. Kind of, it seems. by coyotecult · · Score: 2, Insightful

    http://www.starnix.com/banks-n-browsers.html VERY comprehensive list of banks who will work with Linux -- which is basically the same thing. If you're browser agnostic, the OS shouldn't be a deal.

  17. Re:Heh by Master+of+Transhuman · · Score: 2, Insightful

    "But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected"

    Right - and Granny isn't supposed to be able to run Linux, but she can do all that security stuff on Windows, right?

    Well, I actually believe she can IF someone tells her she needs to...

    And she can learn Linux, too, if she decides Windows is a piece of bloated, unreliable, unstable, expensive, insecure CRAP...

    How many YEARS past the last "security initiative" from Microsoft are we now?

    Why don't they just spend some of that $30 billion they pissed away on their stock prop PR stunt and just BUY the entire computer security INDUSTRY and integrate it?

    Does anybody REALLY believe Longhorn is going to be secure?

    Gimme a break...

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  18. Mod parent up by Anonymous Coward · · Score: 1, Insightful

    What moron modded this flamebait? The parent makes an excellent point. The average person is still worried about viruses and attacks that damage a computer. He worries a virus could delete his Quicken files, but thinks it's safe to send his PIN to his bank's site because the little padlock appears.

    Users need to be educated that real damage happens when their data are read by someone else, like phishing, datamining, and whatnot. Simple data loss can easily happen without malice.

  19. Non-admin won't help you much by MarkByers · · Score: 3, Insightful

    creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.

    --
    I'll probably be modded down for this...
  20. Re:McAfee virusscan itself is also affected in a w by eraserewind · · Score: 2, Insightful

    AVG Antivirus.

  21. Use another browser? by Anonymous Coward · · Score: 1, Insightful

    I use Firefox or Mozilla and am in the process of weaning myself off of Windows... but am I wrong in noticing that a certain amount of open-source propaganda has found its way into these security advisories?

  22. Re:Ya I pretty much have to recommend no IE now by Anonymous Coward · · Score: 1, Insightful

    Ahem...

    "Linux is only free if your time is worth nothing."

    You're not paying for 'software'. You're paying for the convenience. I don't like Windows much, but for people who have better things to do with their time (alas, not I), it might still be a better option.

    Mac OSX seems like a good middle ground between convenience and security, but it comes with some rather nice and rather expensive hardware.

  23. Re:So what you're telling me is that by CerebusUS · · Score: 4, Insightful

    No, What I'm telling you is that this article was written and posted to provide fodder for a flame war.

    You are still vulnerable because Microsoft has determined that this vulnerability is:

    a) unpatchable without ruining the functionality of the product

    and / or

    b) not a large enough threat to worry about.

    Now I'm _not_ going argue whether either of these points is correct or not. But to present these as "New exploits" is typical Slashdot anti-journalism. they did the same thing when they announced the "New" vulnerabilities for Firefox a few days ago. Those were not new either, but neither the submitters or editors bothered to read the articles that were submitted.

  24. Daft headline too... by doodlelogic · · Score: 2, Insightful

    It's either critical or it isn't. "Extremely" is redundant.

  25. Re:McAfee virusscan itself is also affected in a w by omicronish · · Score: 2, Insightful

    That's pretty amusing. A virus scanner that relies on a component that may be a vector for viruses and trojans, and a known vector for spyware.

    Embedding IE is simple for the programmer, but the security settings are so confusing for the user that it's possible to inadvertantly tighten security too much for local applications, which causes the errors that you speak of. After the existence of security holes themselves, I think the next worst part about IE is its incredibly confusing set of security settings, especially on the Group Policy side. It's difficult to secure something when you don't understand how its security works.

  26. Re:Test site by Anonymous Coward · · Score: 1, Insightful

    You really think Firefox is secure. What a moron. The only reason Firefox isn't exploited is nobody uses it.

  27. Re:Help me!! by tmika · · Score: 2, Insightful

    Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'

    Computer specs: iBook g3 800mhz...

    In that case, you're windows installation is probably along an exterior wall of your house or office. Its where you'll notice sunlight coming in during daytime hours, and be careful, it is a huge security vulnerability.

    BTW: Thanks! Your comment was the first time I really picked up the irony that Microsoft Windows is named after the weakest point of physical security and the cause of most unnecessary energy loss in most buildings. I'm sort of a Microsoft guy, and I still think that's extremely funny and more than a little prescient.