Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extremely Critical IE6/SP2 Exploit Found

Posted by timothy on from the but-don't-worry-they're-on-it dept.

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

7 of 595 comments (clear)

  1. Now we use IE6 and XP only for banking by Green+Salad · · Score: 5, Interesting

    It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

    Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!

    1. Re:Now we use IE6 and XP only for banking by SharpFang · · Score: 4, Interesting

      Switch to providers who don't lock you in with crappy service. And tell them clearly "Supporting only insecure Microsoft products you don't meet our security standards. Good Bye!"

      I'm not a big company, I'm just a private user. I very recently switched banks I use for personal finances. I left a "common" bank with its units in in several thousands of locations, and introducing new fees and increasing old ones now and then to maintain them all, and with quite crappy and really expensive Internet service, that was supposed to work in Mozilla/Firefox but it more often didn't than did, and I signed up for an Internet bank. Reduced costs of maintenance resulting in zero fees on all operations and account maintenance, no other fees, (except of withdrawal from ATM, very cheap too), and as they are an Internet bank, finally a REALLY professional Internet service. Working flawlessly in any browser, probably including Lynx :)

      I don't know how it works for big companies but I strongly encourage you to leave your old-fashioned banks and move to "Internet banking". Reducing number of channels where money flows lets them focus on keeping the channels they maintain highest quality.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  2. Re:Heh by Owndapan · · Score: 5, Interesting
    The exploit worked on my fully patched WinXP SP2 box, running EZ Firewall/Antivirus suite, and running as a non-admin user.

    I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)

  3. Ya I pretty much have to recommend no IE now by Sycraft-fu · · Score: 4, Interesting

    I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.

    The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.

    So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.

    Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.

  4. What did Microsoft do to SP2 by Nuskrad · · Score: 5, Interesting

    I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?

  5. Re:No explanation about what the test does... by js7a · · Score: 4, Interesting

    This is a pretty good security advisory. It looks like it was actually meant to be understood by end users, and not just other security professionals. Then again, it seems to be taking a measurement without obtaining explicit permission first, and I'm sure that makes people nervous. But under the circumstances, it's probably not a bad decision to just go ahead. I mean, why not?

  6. So what you're telling me is that by TrekkieGod · · Score: 4, Interesting
    this has been known for 3 months and there are still no patches available from microsoft? According to windows update, I'm fully patched, according to their test page, IE is still vulnerable. I think that's even worse than it being a new vulnerability.

    Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?

    --

    Warning: Opinions known to be heavily biased.