Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extremely Critical IE6/SP2 Exploit Found

Posted by timothy on from the but-don't-worry-they're-on-it dept.

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

13 of 595 comments (clear)

  1. Delete files? by lachlan76 · · Score: 3, Insightful

    One would assume that any vulerability that could run arbitary code would be able to delete files.

  2. A worm that deletes everything. by caluml · · Score: 4, Insightful

    We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"

    --
    Get your own free personal location tracker
    1. Re:A worm that deletes everything. by LewsTherinKinslayer · · Score: 5, Insightful

      "We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people""

      Similarly, we need a firebug to go around lighting people's houses on fire to show how having smoke detectors should be a high priority.

      I realize you're not being 100% serious, but this reasoning is stupid.

    2. Re:A worm that deletes everything. by tom1974 · · Score: 5, Insightful

      That would make keeping your computers patched a high priority for most of the users.

      What has that to do anything with this story? RTFA and please stop blaming the user for everything.

      Running WinXP SP2 and fully patched system. I run Norton anti-virus, spybot, Ad-aware and now MS Antispyware and enabled autoupdate.

      Checked out Secunia, ran their test and my system was found vulnerable.

      What more should I patch?

    3. Re:A worm that deletes everything. by skiman1979 · · Score: 4, Insightful

      It's a shame that Windows users need to install antivirus, spybot, ad-aware, and other scanners (and run them on a monthly...weekly...daily basis to keep their computers clean. Also, don't forget about regedit. Seems Windows registry likes to corrupt itself. I dread the day that Linux gets to that point.

      --
      Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
  3. No explanation about what the test does... by kiddailey · · Score: 5, Insightful


    What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).

    All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?

    Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

  4. Re:Heh by Anonymous Coward · · Score: 3, Insightful

    It's amazing how the WinFanboys can live in such denial. It's like people you know who live in a really bad neighbourhood and deny there's anything wrong. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours like sensible people you're perfectly safe". It's the old "Apart from how it's broken, it works perfectly" line. Used car salesmen use similar techniques. "She blows a bit of smoke and rattles some, but you know this was one of the best models made. They don't make 'em like they used to (watch out for the leaky floorpan too)"

    The blame-the-users mentality also serves to protect MS itself. If the general consensus is that users are at fault for succumbing to vulnerabilities then MS has no responsibility to fix it, and is under no pressure to do so.

    Keep sucking it up will you. There's a good boy.

  5. BFD by Anonymous Coward · · Score: 3, Insightful
    I don't see what the big deal is. Provided that all of your users are rocket-scientists that never, ever do anything stupid that allows any hostile code access to their machines, then all your company's intranet sites should be safe and aren't going to include this IE exploit. IE will remain safe to use.

    As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."

  6. Re:Fairly simple solution by nagora · · Score: 3, Insightful
    What the hell is wrong with people?
    1. People really do fear change,
    2. Microsoft has succeeded in producing a massive lock-in with their products,
    3. Many people, wrongly, think that a "big name", whether in computers or cars or whatever, means big support and that small companies can not have the resources to make "fully functioned" products. The trick here is that many of the extra functions were added to push the upgrade sales, not for any utility,
    4. Many people are stupid,
    5. Large companies get quiet "bonuses" for standardising on third-rate crap from Microsoft (and Intel, for that matter - I was offered free hardware if I would make our company website slower, to encourage upgrading of machines),
    6. Many many people have too little time to bother finding out about the alternatives.

      That's part of the answer, anyway.

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
  7. Re:Test site by farnz · · Score: 3, Insightful
    It allows a malicious web page to do anything on your system that you can do locally; if the user you run IE as can do it, the attacker can do it too. So, if you can read these critical files, the attacker can, too. If you can modify them, guess what? The attacker can change them too.

    If I were a black-hat planning to exploit this vulnerability, I'd put a remote control program like Back Orifice and a HTTP tunnelling program onto the web for BO to use for connectivity. Then the exploit downloads and installs them, and I have full control of your system whenever I want it.

    --
    I appear to have a blog. Odd.
  8. Re:Heh by R.Caley · · Score: 4, Insightful
    ...But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected.

    And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves. When you saw those precautions advised in the manufacturer's literature, would you buy the car?

    --
    _O_
    .|<     The named which can be named is not the true named
  9. Non-admin won't help you much by MarkByers · · Score: 3, Insightful

    creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.

    --
    I'll probably be modded down for this...
  10. Re:So what you're telling me is that by CerebusUS · · Score: 4, Insightful

    No, What I'm telling you is that this article was written and posted to provide fodder for a flame war.

    You are still vulnerable because Microsoft has determined that this vulnerability is:

    a) unpatchable without ruining the functionality of the product

    and / or

    b) not a large enough threat to worry about.

    Now I'm _not_ going argue whether either of these points is correct or not. But to present these as "New exploits" is typical Slashdot anti-journalism. they did the same thing when they announced the "New" vulnerabilities for Firefox a few days ago. Those were not new either, but neither the submitters or editors bothered to read the articles that were submitted.