Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extremely Critical IE6/SP2 Exploit Found

Posted by timothy on from the but-don't-worry-they're-on-it dept.

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

24 of 595 comments (clear)

  1. Not working by Anonymous Coward · · Score: 2, Interesting

    Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.

    The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.

  2. Now we use IE6 and XP only for banking by Green+Salad · · Score: 5, Interesting

    It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

    Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!

    1. Re:Now we use IE6 and XP only for banking by davids-world.com · · Score: 2, Interesting

      I don't deal with the financial sector professionally, but all my private homebanking with 4 banks in three different European countries and a broker work just fine without IE (I use Safari = KHTML). No ActiveX there - I believe it's state of the art not to use IE specific stuff. (But I guess I wouldn't choose a bank in the first place that requires stuff like IE or even Windows...)

    2. Re:Now we use IE6 and XP only for banking by SharpFang · · Score: 4, Interesting

      Switch to providers who don't lock you in with crappy service. And tell them clearly "Supporting only insecure Microsoft products you don't meet our security standards. Good Bye!"

      I'm not a big company, I'm just a private user. I very recently switched banks I use for personal finances. I left a "common" bank with its units in in several thousands of locations, and introducing new fees and increasing old ones now and then to maintain them all, and with quite crappy and really expensive Internet service, that was supposed to work in Mozilla/Firefox but it more often didn't than did, and I signed up for an Internet bank. Reduced costs of maintenance resulting in zero fees on all operations and account maintenance, no other fees, (except of withdrawal from ATM, very cheap too), and as they are an Internet bank, finally a REALLY professional Internet service. Working flawlessly in any browser, probably including Lynx :)

      I don't know how it works for big companies but I strongly encourage you to leave your old-fashioned banks and move to "Internet banking". Reducing number of channels where money flows lets them focus on keeping the channels they maintain highest quality.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  3. Re:Nothing to see here.... by Anonymous Coward · · Score: 1, Interesting

    You explain to me why a three month old bug deserves Front Page status, and I'll apologize for feeding the trolls.

  4. Re:A worm that deletes everything. by caluml · · Score: 2, Interesting

    Or just used Windows file encryption to encrypt a load of stuff, and then change the passwords for all the accounts. Chances of people backing up their encryption key, but not patching their boxes are very small.
    Change a few fields in spreadsheets too might be fun.
    Post stored usernames and passwords to newsgroups..

    --
    Get your own free personal location tracker
  5. Re:Heh by Owndapan · · Score: 5, Interesting
    The exploit worked on my fully patched WinXP SP2 box, running EZ Firewall/Antivirus suite, and running as a non-admin user.

    I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)

  6. Re:Nothing to see here.... by aixou · · Score: 2, Interesting

    I believe there are now exploits in the wild, or exploits poised to get out in the wild -- which is why the rating was increased.

    Having a vulnerability is like having a broken lock on a window. An exploit of that vulnerability is a burgular who is going around your neighborhood using windows as the entry point. In my opinion, exploits are a more serious concern than the vulnerability itself and warrant the increased amount of news on the topic.

  7. Ya I pretty much have to recommend no IE now by Sycraft-fu · · Score: 4, Interesting

    I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.

    The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.

    So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.

    Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.

  8. What did Microsoft do to SP2 by Nuskrad · · Score: 5, Interesting

    I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?

    1. Re:What did Microsoft do to SP2 by Joel+from+Sydney · · Score: 2, Interesting

      Looks like this only works under SP2. I'm also running XP SP1 and had the same problems getting the exploit to work :)

  9. Re:Test site by skraps · · Score: 2, Interesting

    You could flash the BIOS, but the way to do that is pretty vendor-specific. I think what the GP really meant was "nuke the CMOS" - erase the settings. That can be done from software, and is generally not vendor specific. However, you will need admin privileges to do it on windows NT, 2000, XP, and 2003.

    --
    Karma: -2147483648 (Mostly affected by integer overflow)
  10. That's exactly my point... by kiddailey · · Score: 2, Interesting

    Thanks for the description.
    ... then a command console that quickly closes (dunno what that did)...
    And that is exactly what I'd like to know.
  11. Re:No explanation about what the test does... by js7a · · Score: 4, Interesting

    This is a pretty good security advisory. It looks like it was actually meant to be understood by end users, and not just other security professionals. Then again, it seems to be taking a measurement without obtaining explicit permission first, and I'm sure that makes people nervous. But under the circumstances, it's probably not a bad decision to just go ahead. I mean, why not?

  12. Re:Windows 2003 Server? by Anonymous Coward · · Score: 2, Interesting

    Vulnerabilities do exist. I installed 15 patches on a pair of new 2003 servers yesterday. Only 2 of these were IE patches.

  13. Re:No explanation about what the test does... by Kris_J · · Score: 2, Interesting

    This is why I didn't bother to "fix" it when my system drive set itself up as E: the last time I rebuilt a home PC.

  14. Activex vs. Plugins by Anonymous Coward · · Score: 1, Interesting
    What's the difference between Activex and plugins which have full write privilege to system files. Especially when the plugin's have plugins, e.g. difference codecs for the streaming media plugins. Its hard to keep track where everything is coming from.

    Plugins pretty much bust the browsers sandbox model. If I was a cracker that's what I'd be concentrating on, writing rogue plugins or trying to break the current ones. Plugins probably have the security as the lowest priority, expecially the spyware ones.

  15. Some People Will Never Switch by Anonymous Coward · · Score: 1, Interesting

    Take my younger 18 year old brother for instance. He's hooked into Internet Explorer and MSN like a Great White on a bloody fishing line... no matter how many trojans he seems to pick up - the last one was very nasty, lots of random .exe's dotted around his system - he still won't change. I say "You shouldn't have to reinstall XP every 2 months", he says "I like a clean system!". Talk about banging your fucking head against a brick wall

  16. Re:Test site by Red+Pointy+Tail · · Score: 2, Interesting


    What you mean is that we have been vulnerable to this since IE6 was available waaayyyyy back, but it wasn't known until 3 months ago, and that they just realised how easily exploitable it is 2 days ago.

  17. Re:A worm that deletes everything. by Taladar · · Score: 2, Interesting

    So why are you allowed to install a dozen third-party apps to deal with IEs flaws but no alternative to it?

    --
    Linux is not Windows
  18. So what you're telling me is that by TrekkieGod · · Score: 4, Interesting
    this has been known for 3 months and there are still no patches available from microsoft? According to windows update, I'm fully patched, according to their test page, IE is still vulnerable. I think that's even worse than it being a new vulnerability.

    Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?

    --

    Warning: Opinions known to be heavily biased.

  19. Re:But can it be used to... by BitchKapoor · · Score: 2, Interesting

    As a matter of fact you can delete IE, but Windows quickly restores a backup copy of it from somewhere. However, if you copy another file over C:\Program Files\Internet Explorer\IEXPLORE.EXE or even just delete it and quickly rename another file to IEXPLORE.EXE before the backup is restored, Windows doesn't seem to revert your changes (this is probably to allow upgrades). I'm not sure how Windows decides when and how to make a backup. When I replace IE by a simple text file, after deleting the text file, the original IE is restored. But when I replace IE by a copy of HMMAPI.DLL, it seems to stick -- in fact, if I then re-replace this with the real IEXPLORE.EXE, wait a while, and then delete it, IEXPLORE.EXE gets reverted back to the backup copy of HMMAPI.DLL!

  20. Script? Written -- Enjoy! by Pavan_Gupta · · Score: 2, Interesting

    http://www.people.virginia.edu/~pg8p/

    It downloads firefox, and begins the installation -- that's it.

    I could've very easily move iexplore.exe and adjusted icons and everything, but let's play this the white hat way. Enjoy amigos!

  21. Re:But can it be used to... by Anonymous Coward · · Score: 1, Interesting

    So did you recommend abandoning Linux a couple of days ago when a root exploit was found?