Slashdot Mirror
Extremely Critical IE6/SP2 Exploit Found
Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
They've also posted a test site.
No, you click it first.
delete IE?
or maybe install Firefox?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.
The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.
Even a fully patched sp2 is in danger. Good news for Firefox fanboys?
One would assume that any vulerability that could run arbitary code would be able to delete files.
We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"
Get your own free personal location tracker
Well, you've been lucky, one of these days you are going to run afoul of one of the more dangerous internets.
This post is both insightful and flamebait at the same time. I love how objective people are(n't.)
It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.
Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!
You explain to me why a three month old bug deserves Front Page status, and I'll apologize for feeding the trolls.
I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
You explain to me how Front Page Slashdot is above posting three month old news, and I won't mod you flamebait.
/hug ibook
We'll all be lucky, because IE won't be updated to handle the newer internets until many years later. ;)
it's an IE feature.
Solution: Use another product. At least that is what their site said. They also mention workarounds, but that would imply that I have to work... hmmm, no I'll accept the risk and reimage the machines who are affected.
Pardon the technical terminology
With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.
I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.
http://secunia.com/internet_explorer_command_execu tion_vulnerability_test/
is a test page containing a link if you left click on it and a window opens your vulnerable (it didn't do anything in Firefox)
Blarney Quality Restaurant, Plants
#!/microsoft/bash
After today's pro-Microsoft articles, its about time we got back to bashing!
Yeah, well, I guess corporate IT depts are probably struggling with mgmt to implement company-wide changeovers, especially for all those companies that are Microstooges and have big service and standardization contracts, yadda yadda yadda. But for all you individuals out there who aren't experiencing the Browsing Bliss that is Firefox, preferring IE to downloading a small file and doing a simple install, well, I don't pity you any more than anyone who walks into a dynamite factory and says, "Man, it's dark, anyone got a match?"
Chr0m0Dr0m!C
You know what? I'll just stop using the internet. I'll just .................
What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).
All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?
Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.
although it requires a bit of messing around. IE - Tools - Options - Security.
select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.
select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.
This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.
Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.
Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.
Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.
.hlp file parsing program. The vulnerability is forged from a decoding error within the .hlp header. A perpetrator can exploit the flaw by triggering a heap-based buffer overflow."p /11778_3452081
Not since December 27 2004, anyway...
"XFocus also reported a hole in winhlp32.exe, the Windows
http://www.esecurityplanet.com/patches/article.ph
"I've got more toys than Teruhisa Kitahara."
I believe there are now exploits in the wild, or exploits poised to get out in the wild -- which is why the rating was increased.
Having a vulnerability is like having a broken lock on a window. An exploit of that vulnerability is a burgular who is going around your neighborhood using windows as the entry point. In my opinion, exploits are a more serious concern than the vulnerability itself and warrant the increased amount of news on the topic.
Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.
Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.
I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:
. html/
http://www.sophos.com/virusinfo/analyses/expphela
EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.
This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."
in the article up there...
a tion: C:\Documents and Settings\User\Local Settings\Temporary Internet
the link to
http://www.jmcardle.com/?postid=77
is a VERY BAD PUPPY. tried to crack my browser's head.
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Bloodhound.Exploit.21
File: C:\Documents and Settings\User\Local Settings\Temporary Internet
Files\Content.IE5\41AJW52F\jmcardle[1].htm
Loc
Files\Content.IE5\41AJW52F
Computer: MYPC
User: User
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 9 ianuarie 2005 12:45:25
``Secondly, why in the HELL is anyone using HTML files for help documents?''
Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.
And for the record: HTML is completely secure. It's just data that gets rendered. Security holes are always either in the code that processes the HTML (which is a problem with that code, not with HTML) or in extensions (which is a problem with the extension and the program that uses the extension).
Please correct me if I got my facts wrong.
... I heard of an IE/Windows vulnerability, I'd be as rich as Bill Gates.
Are you saying the exploit doesn't work? Certainly seems to for many posters here.
What does this information got to do with the bugs he found on Internet Explorer? You know, even if you dig up his mother's name it wouldn't change the fact that he actually found some serious flaws in IE SP2.
I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.
The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.
So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.
Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.
Moreover, the vulnerability can be used to delete files from the user's system
Maybe someone can write a worm that will exploit this "feature" that will delete IE for the user.
I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?
I use firefox to begin with only because it is as close to W3C standards as you can get now a days. IE6 like all the IE products released by Microsoft have had these problems with security. I have been using Linux (9 years) and Mac OS X( 3 years) and unfortunately because of my job and school had to use Microsoft. If anyone is surprised about this they should wake up. More people need to complain to Microsoft because as a business they will continue to slack unless consumers put them in there place.
Speaking about consumers my girlfriend and all her friends are not computer savvy all of them refused to delete IE and use firefox. [Note: 2 months got gf to switch from IE to firefox! Next step Linux...]. So telling people to use another product lets be realistic the majority of people that use MS and not computer savvy tell them to change is like pulling teeth.
Mostly due to inertia. Some jsut don't know about Firefox (remember Joe Avverage doesn't read /.) however many don't want to switch. We've had this fight at work with Firefox and Thunderbird vs Netscape/IE and Eudora. Used to be (like 5+ years ago) that Eudora was the recommended e-mail client. Not the case anymore, Eudora bites, IMO, and the new versions cost money or have ads, so the people are using v3. Users got to choose their own browser so it's split between IE and Netscape 4.
Well, all computers accounts are being upgraded, and most computers are being replaced, so this is a perfect time to switch. I mean why wouldn't you? The tech staff does all the setup, will answer any questions, and the programs are better. Well, there are a number of people that are just set in their ways and refuse to change. No good reason is given. Basically, they don't wnat anything to change.
For that matter we've had to force computer upgrades on come people. I mean most people would love to get a faster computer, however some are so set in their ways they don't want to change. We are forcing the issue on anyone with an NT4 or Solaris 8 computer and some of them are NOT happy.
It seems inconcevable to geeks, that ALWAYS want somethign faster, better, newer, but it's more common than you might think.
We keep hearing of new exploits, of new security vulnerablities in XP at least twice a week and at least 10 times more often than we hear about Linux.
But I just haven't seen a single vulnerablity report about Windows Server 2003. Maybe I missed them. Maybe the system is so little known that people don't use it and don't find bugs. Maybe the cases are swept under the carpet too fast... and maybe the system is just secure?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I am using XP with no service pack and still on IE ver: 6.0.2600.0000.xpclient.010817-1148 and the exploit did not work... :-/
:-(
boohoo for me
Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test
that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'
Computer specs: iBook g3 800mhz...
I hope that helps a little
Thanks for the description.And that is exactly what I'd like to know.
In that case, you'll have to use the honour-system, and manually delete some stuff, and maybe write some arbitrary files.
Thanks in advance.
Not really, but im sure there's a way to make this flaw install linux instead :-)
"...a generation of kids has grown up thinking Trance is the shittiest music since country and western." - Paul van Dyk
It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.
Ah... even scarier than I imagined
I just clicked the link and it downloaded the EXP/Phel-A virus (only when I use IE, not Firefox). Sophos Anti-Virus picked it up and gives this advisory.
If Sophos isn't mistaken, the Secunia site is infecting visitors with viruses?!
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
I did get a bunch of Ubuntu CDs while their free and give those out to anyone that is interested in Linux. Especially after I answer the question, "How do you deal with it?" with "I don't. I use Linux."
FYI I pretty much never use IE so everything is on default setting.
is to disable ActiveX
I used to send out chm files with all my programs, then I discovered they were useless under Wine. (The apps were fine, but users couldn't view help because it uses the IE engine.)
So, all my help files are now html files in the HELP folder, with images in a subfolder. From within the program, they open in your default browser but you can also open them manually in any browser. While indexing isn't possible you can still use Ctrl-F to search. (When the help file resides on the local computer, there's no problem sticking it all in one big file with a TOC and lots and lots of 'return to table of contents' links.)
Hal Spacejock: Science Fiction with Nuts
Mozilla and Firefox flaws exposed
"The most serious flaw involves a buffer overflow bug in the way Mozilla processes the NNTP (news) protocol. The bug creates a means for hackers inject hostile code into vulnerable systems, providing they trick users into executing maliciously constructed news server links"
Of course half the problem with these kinds of 'update your software now' fixes is that so many people dont, even when its a no brain operation like using windows update.
And this is why I use Firefox.
http://www.starnix.com/banks-n-browsers.html VERY comprehensive list of banks who will work with Linux -- which is basically the same thing. If you're browser agnostic, the OS shouldn't be a deal.
...this unpatched XP laptop is not vulernable to the exploit.
Guess it isn't as extremely critical as they say.
I am very small, utmostly microscopic.
I had a similar issue at work. Happily, setting ffox up with the IE icon left many who didn't realize that a change had been made (they've just assumed it's an upgrade)
I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
What moron modded this flamebait? The parent makes an excellent point. The average person is still worried about viruses and attacks that damage a computer. He worries a virus could delete his Quicken files, but thinks it's safe to send his PIN to his bank's site because the little padlock appears.
Users need to be educated that real damage happens when their data are read by someone else, like phishing, datamining, and whatnot. Simple data loss can easily happen without malice.
Troll? How is this a troll? At worst, I would say it's a poor joke. Mind you, I laughed. So, to the mods of /., take the broomstick out of your rectum and laugh at funny jokes.
Dear editors,
I am glad I have provided some entertainment on a slow day. Now could you please return the favour.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Plugins pretty much bust the browsers sandbox model. If I was a cracker that's what I'd be concentrating on, writing rogue plugins or trying to break the current ones. Plugins probably have the security as the lowest priority, expecially the spyware ones.
"How do you deal with it?" ... "I don't. I use Linux."
Ah, security through obscurity!
Unless you want to argue that Linux applications are inherently more secure, the main source of protection for Linux users is that it is not as common a target as Windows. All software has bugs, even open source.
Even Multics, which was designed to be secure and to run on hardware which supposedly was more secure had vulnerabilities. Just Google up the Air Force report on Multics holes.
Well, that really should only concern you if you have users on your computer that you don't fully trust. Internet Explorer, on the other hand, is used by 90% of the population, and can be exploited by almost any website. Which is worse, I wonder?
Absurd! What will do you when a new exploit appears that your Sophos antivirus doesn't detect yet?
:-)
Let me tell you: you will be screwed.
Switch browsers immediately!
In case anyone missed this, it was reported to Microsoft on 2004-10-13.
Three months later, no sign of a patch.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
In other news eating dog shit can make you ill..
This comment does not represent the views or opinions of the user.
creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.
I'll probably be modded down for this...
...(reported to Microsoft on 2004-10-13).
That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.
This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.
The source code for the exploit is all there. Use view-source.
I'll probably be modded down for this...
AVG Antivirus.
Anyone else think this came just in time to remind those who got too smug regarding the recent linux local exploit? ;)
I think the main difference is if you run version 1 of Firefox you aren't affected at all. It is also extremely difficult to exploit this bug, if you, indeed, can. This IE vulnerability, on the other hand, is valid on a fully patched system, and easily exploitable.
The other hole, by the way, doesn't work so well if you've resized your download window (since Firefox keeps the old download window size and position) at any time, or you have a different theme installed.
I think this is just a case of "RTFA", though you're the one who supplied the article.
There was an article about those flaws.
which only one was nearly as dangerous as this but was fixed in the current mozilla, firefox versions.
while (!asleep()) sheep++
Secunia says 'Solution: Use another product.'"
:-/ Otherwise it'd be scary to use XP for gaming...
Sometimes these exploits can target you even if you don't use IE due to the integration. Hopefully not the case here.
Beware: In C++, your friends can see your privates!
Take my younger 18 year old brother for instance. He's hooked into Internet Explorer and MSN like a Great White on a bloody fishing line... no matter how many trojans he seems to pick up - the last one was very nasty, lots of random .exe's dotted around his system - he still won't change. I say "You shouldn't have to reinstall XP every 2 months", he says "I like a clean system!". Talk about banging your fucking head against a brick wall
...Telnet from a CMD.EXE prompt, since even HyperTerminal has vulnerabilities and most of the alternative products are communists (although maybe that's just how Bill pronounces "communities").
If you want to poke fun at the whole idea, buy one of these (buttons coming when I can figure out what to fit in a 2.25" circle).
Got time? Spend some of it coding or testing
I'd mod that up if I could. AVG rocks. No bloat. Also you might want to try clamwin, but AVG is better imo.
--
The last digit of pi is four.
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.
If you'd like to see it in action, go to Trendmicro.com/download and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.
This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.
~Will
sig?
He's not an MSCE yet. He failed TCP/IP - he's not even bipedal!
It would be cool if it didn't suck.
I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.
It's not offtopic, dumbass. It's orthogonal.
Yeah, but with grsecurity and selinux, the amount of damage anything can do automatically is pretty small.
Put identity in the browser.
Alwil Avast antivirus http://www.avast.com - I've been using the free version for about a year now, and decided to start buying there Professional version it is that good! avast! 4 Revision History: http://www.avast.com/eng/av4_revision_history.html
/. is good for you.
What's really funny is I warned a vendor last year that security issues related to IE were going to be an ongoing problem and they should look at moving away from the IE only application they were providing. They told me, less than politely, that IE was the number one browser in the world and I could basically STFU.
Sure glad I saved those emails....
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I'd combined those two some time ago to make pinwheel of death. Hadn't thought about it in terms of a beachball before...
creation science book
Secunia says 'Solution: Use another product.'
:)
It seems like everyone is on the "Switch to Firefox" (I realize they didn't specifically name Firefox) bandwagon. Which I cannot be wholly sure if I like? Blind allegience to what happens to be my favorite doesn't make me any happier because the real goal is to educate.
If everyone mass-switched I fear it will belittle the point. I believe people need to SEE why they should do something, not just do it blindly. If it takes for them to be affected seriously, so be it.
i.e. You never truly understand the power or usefulness of saving every few lines of code until it saves you.
When modding "Informative", please make sure it both has a source and IS actually informative.
I use Firefox or Mozilla and am in the process of weaning myself off of Windows... but am I wrong in noticing that a certain amount of open-source propaganda has found its way into these security advisories?
I've decided to try Anti-Vir (free-av.com) for a while, I heard good comments from other people too about this one. At least it seems to work fine with thunderbird too.
But the main point of my original comment was that McAfee decided to use Internet Explorer itself, one of the main sources of leaks and infections, as part of their own anti-virus product!
This must be the result of someone having some serious brain damage over at McAfee's.
Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?
Warning: Opinions known to be heavily biased.
As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).
Only if your default is to not have SP2 installed. RTFA.
Since Microsoft recommended everyone upgrade to SP2, and since SP2 INTRODUCED the vulnerability, I'd say your system isn't "default", and most people, by default, are vulnerable.
"Linux zealots", indeed.
Kythe
The code for the web page is designed to specifically target Windows XP SP2. The code modification required to make it target multiple versions of Windows is trivial.
This reaffirms the adage that no software is "absolutely" secure/bugfree - just relatively better/worse than other software. Pick the one you feel is more secure. Both Firefox/IE-SP2 will have flaws.
Btw, I must admit that I use Firefox as my primary browser and this did not affect me.
I don't think something can be "extremely critical." That's like calling something "very unique."
``Secondly, why in the HELL is anyone using HTML files for help documents?''
.hlp format which has been around since the dinosaurs. Newer applications usually don't use this anymore for any number of reasons, not least of which is that the help compiler uses .rtf documents as the source.
Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.
Actually, windows has 3 helps systems. The old
The more common help format these days is the HTMLHelp format which is based on yes, you guessed it, HTML. The advantages of using this are obvious: You can create your help files from HTML which you can also use on a web site. Also, there are a lot more tools for building HTML than RTF. HTML has more functionality, you get scripting support, and so on and so forth.
Then Microsoft also has the format that the MSDN uses. This is sort of an upgraded version of HTMLHelp and like HTMLHelp, it's based on HTML as the source. The files have a different format that allows for more extended functionality, better support for grouping of separate files and better support for very large files, among other things.
LOL. Assuming they don't live under the bridge, I think someone jumped to conclusions. That never happens on Slashdot thank god. <grin>
Your use of Proxomitron caught me attention. I use it regularly at work. (Probably typical scenario: developers use Firefox for regular use, but company mandates IE, so we target for IE... slowly getting all developers to `test` in Firefox too.) The log window has helped the team debug some odd session issue. There seem to be some good Linux progs to do the same thing, but I haven't found a Windows program that holds a candle to Proxomitron. Real gem. Did the programmer ever release the source?
What's the user-agent stats for views of this news item?
:)
If I'm not mistaken, not long ago, IE was still the browser of choice for slashdotters....
(submitted using Firefox
Or just use Maxthon, which adds tabbed browsing popup blocking etc to IE. And I tried the vulnerability test with Maxthon and wasn't vulnerable. See, you don't have to use Firefox, you can stick with IE and just get Maxthon. Microsoft all the way!
AVG Personal Edition
DJ kRYPT's Free MP3s!
With all these exploits and viruses/worms out in the wild, would it be practical to provide computer insurance?
user@host$ diff
The flaws posted on Firefox/Thunderbird are, and have been, fixed in the current versions. Those flaws only affect the non-1.0 versions of both pieces of software.
Now, knowing that one could say "Well why on earth was that a big deal then if its already fixed?". The answer is a lot of businesses tend to stick to something they know works. Which means they sadly tend to not update as often.
So, it was a recent enough flaw that, despite having already been fixed, needed to be made known. All that said, a lot of the articles on the flaw were misleading because few clearly mentioned that if you had the latest version, you didn't have that problem.
As for IE, its real problems these days are:
1) ActiveX
2) Integration with OS opens up too many potential pitfalls
That's it really in terms of security. And, as has grown increasingly obvious over the last few years, this isn't a problem that is going away despite this endless patching. Until MS comes up with a new and viable alternative to activex, and until they seperate the browser out from the operating system, they will never be able to truly secure IE.
Is anything ever perfectly secure? No, everything has some sort of flaw somewhere that has any level of complexity to it. But, as in the case of many alternative browsers, you can make them secure enough so that any secondary watchdog programs(spyware catchers, anti-virus, etc) can nail anything that slips through the cracks.
You are who you are, let no one tell you different. But, never close your mind to a new point of view.
Try AVAst - it has free "home" version for home/uncomercial use. Free version goes without some advanced stuff (like vorking with MS Active Directory, reporting etc.) suitable mostly in networks of installations not single computer. AVAst interface is a bit ugly (but can be skinned), but at least it does not depend on retarded mshtml.dll controls. And it's detection engine is one of fastest (I cannot remember article with test right know, just belive me :))...
http://www.avast.com/eng/down_home.html
Then watch as people bitch (or sue!) because IE-specific ActiveX apps such as Windows Update and CartoonNetwork.com's Kids Next Door: Operation BEST stop working. I'll take an educated guess that at this point, it'd be too much of a pain for Cartoon Network developers to reprogram a 3D game such as Operation BEST to 1. be written in Java rather than C++ and 2. work with Java 3D's scene graph model rather than the Direct3D model that the current client uses.
Of course, I would argue that open source is more secure - for 2 reasons.
1. The "many eyes" phenomenom, as everyone points out lots of people look through the code for security holes - and many even report them. College students are even required to look for them to pass some classes! The more closely the code is examined the less errors it has, and the less significant the errors. For example, say someone on Mozilla figures out a new vulnerability in Mozilla's use of some function. Because the code is open, the problem is open, etc. other developers will check their own projects for that particular problem. This type of psuedo-calaboration can't happen without open source and open reporting.
2. Open source inherently leads to a more diverse operational set. How many versions of sendmail are there? Each one has it's own stack offset, etc. Sometimes even a recompile on a different system can break an attack vector! That means that for many exploits, the target audience is greatly reduced.
while (sig==sig) sig=!sig;
Someone modify the white-hat code into some other white-hat code...except instead of just doing a mkdir or opening IE, show a typical joe-blow user exactly how dangerous this really is. I don't know how... perhaps display a dialog box that says something to the effect of:
And have the program put a Firefox link on the user's desktop.
Now I realize that this may make some people cringe: "But you're making people think that Firefox users are hackers!" The idea is not to send anyone the link to this quasi-malicious page. The idea is to put a link to it in your AIM/Yahoo! Messenger/forum sig/etc. Show it to friends. Word of mouth is incredibly powerful, as you may know.
IWARS.
People, in general, disappoint me. Politicians even more so.
And if you route your direct deposit to them
I make most of my money from doing odd jobs for individuals or contract jobs for small businesses. If they write me checks, I can't deposit them in any ATM in town. How can I get people who typically write me checks to set up direct deposit?
The more common help format these days is the HTMLHelp format which is based on yes, you guessed it, HTML. The advantages of using this are obvious: You can create your help files from HTML which you can also use on a web site.
I tried to hex-edit the .chm files, and I couldn't find any readable text. Why didn't Microsoft stick to standard HTML in a standard packaging format (MIME or PKZIP)?
This exploit uses the the following file: c:/windows/help/ntshared.chm. Maybe a quick solution would be to delete or rename this file?
http://saveie6.com/
I have to disagree with you on this. The most scrutinized combination right now is Windows/Firefox because it's starting to take a bite out of IE's market share. If you don't think there's a team of Microsoft-funded gremlins whacking the bejesus out of Firefox in a dungeon somewhere, you haven't been paying attention.
Same here. Scary shit.
Many slashdotters reading this at work could have their jobs on the line or could infect their pcs.
I think emailing cmdtaco and perhaps puting an update on this story saying the site will upload a virus to your system might not be a bad idea too. After all slashdot could be sued as a result.
Nasty stuff.
http://saveie6.com/
There was another advisory about a month ago mentioned here on slashdot with hijacking someone visiting a site using activeX.
my guess is a cracker saw this story on slashdot and is hijacking the communication with the activeX controls with the virus.
This bug should have been fixed already.
http://saveie6.com/
A bit off-topic, but I have to admit I am a big fan of htmlhelp aka CHM files. At least in principle.
The idea that one can "compress" a bazillion html files into a single indexed file (single or double paned window) that is easily both indexed and easily searchable file seems, at least to me, the cat's meow.
Not sure what you mean by the MSDN format. The so-called MSDN menu you can add at compile time, but as far the "features/standards" promulgated by Microsoft for the designing of CHM files, I think they're mostly rubbish.
Please let us know.
http://www.people.virginia.edu/~pg8p/
It downloads firefox, and begins the installation -- that's it.
I could've very easily move iexplore.exe and adjusted icons and everything, but let's play this the white hat way. Enjoy amigos!
Why are people so histerical and scared of using free software ?
Because they have kids who play PC video games, and there aren't nearly as many free A-level PC video games as proprietary A-level PC video games.
It's either critical or it isn't. "Extremely" is redundant.
That's pretty amusing. A virus scanner that relies on a component that may be a vector for viruses and trojans, and a known vector for spyware.
Embedding IE is simple for the programmer, but the security settings are so confusing for the user that it's possible to inadvertantly tighten security too much for local applications, which causes the errors that you speak of. After the existence of security holes themselves, I think the next worst part about IE is its incredibly confusing set of security settings, especially on the Group Policy side. It's difficult to secure something when you don't understand how its security works.
Yeah, I have always had a very low opinion of Secunia. Hopefully Microsoft sues them.
For a good virus scanner -- my best suggestion would be to bootup on a Helix Linux LiveCD and scan it using clamav.
/dev/hda1/; clamscan /dev/hda1/*
open a terminal:
sudo su; mount
Symantec AntirVirus Corp edition caught this no problem. Symantec had this one taken care of since Dec 25th.
Bloodhound.Exploit.21 is a heuristic detection for files that have been designed to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability (BID 11467). The vulnerability is still unpatched by Microsoft as of December 25, 2004.
Mods,
Any reason not to bump the above post up?
I thought it was very informative.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
ActiveX is the only real thing keeping anyone intelligent using IE *at all*! And let's face it, only someone who knows what they're doing even knows *how* to disable ActiveX.
Because some essential but stupidly-designed sites refuse to work without ActiveX.
So if you're going to run a browser that won't work with some sites, why not just switch to another browser altogether?
There has to be a way to prevent things like buffer overflows and stack protection.
Yes. It's called Java technology, and it does so without any sort of digital restrictions management. However, the Firefox team still wants to target machines that are too slow or have too little RAM to run Java programs effectively.
Respectfully, I don't think this is an adequate solution. One of the things that makes the Internet content-rich and broadly opinionated medium is the accessibility (and forgiving nature) of HTML to the average user, and each browser's relative tolerance to malformed code. I think an important part of keeping HTML free (as in speech) is keeping it readable with the eyes and writable with the fingers in its source format, without a required authoring program acting as intermediary.
When you let people markup their own text, you will run into some non-spec pages, but the alternatives for a non-pro seem pretty poor:
use Word to make your web pages (we're talking beginners, here)
Try to hand-hack it, get XML PARSING ERROR 5 or six times (darn you Safari, even if you're right), and eventually give up because you never see that paragraph tag you forgot to close.
To specifically respond to your point, IF no browser rendered broken pages, all pages would be correctly built, BUT, only about a quarter of them would exist, only professional ones would look nice, and the pages extant would represent the views of far fewer numbers of people.
Don't blame me, I voted for Baltar.
There is also a Windows wrapper for ClamAV called ClamWin over at SourceForge:
http://sourceforge.net/projects/clamwin/
Which has recently been renamed AVG Free Edition
The ______ Agenda
It might be in your bochs. If it works on OS/2, it's got to work for you!
Don't forget to save an image before you blow it up.
Friends don't help friends install M$ junk.
The real issue, as I see it, isn't that Internet Explorer is fundamentally flawed. The problem is the way that Microsoft installs the thing by default. The security zones and options give you a lot of flexibility, and allow you to take advantage of ActiveX controls but that should obviously only be done on sites that you explicitly trust.
The default configuration for IE should be that the Trusted Sites zone should be setup like the Internet zone is now; the Internet zone should not have ActiveX enabled in any form, and scripting should be limited. Any site accessed by IP address and not a domain name should be automatically considered to be in the Restricted zone where everything is disabled. No changes to IE itself, just how the security settings are configured by default, and you'd have 99% of these types of exploits go away. If a user wants to access a site that has all sorts of ActiveX scripting and so forth, then they can decide if they want to add it to the list of trusted sites.
Why Microsoft refuses to do this, I have no idea.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Albert Einstein
Microsoft takes security very seriously. Come on, patching IE is against their needs. Their entering the AV and AS market!
eKlode your senses.
Even better, what will he do when someone modifies the exploit so that Sophos misses it? I assume Sophos only sees the original HTML, not every intermediate call to e.g. eval(), so it should be easy.
The shareholder is always right.
to me always implied deltree /y c:\*.*, so deleting files is nothing new, we are just lucky that most computer vandals are not complete computer anarchists.
Oh well, what the hell...
Just when I switched back to IE after learning the 3 new mozilla vulnerabilities... *cries*
I keep telling freinds and family about the danger of MSIE use , Do they listen ? no. Ive wasted Countless hours fixing peoples systems and clearing out mounds of malware,Straight after i give them a little talk about why they should only use MSIE when They have no other choice(Win update or some sites). I go into depth about why its a Simply a bad idea Do they listen... No. So i continue waisting many many hours of my life sorting out peoples PC's Whats worse is these people have children And the kids see the parents using the software and slowly they become addicted to using it, weening them onto firefox gum is tricky they dont want all the benifits(plus some) with non of the major risks I go into depth about the many pc health risks such as Impotent conections and High bug presure 'Its time to think of the children MSIE may make you look big and cool but lets not give in to peer presure. Remember people if you want your conection to live to see your grandchildren on your messenger service and not have your zombie windows pc corpse choking at the first sign of a animated gif Well i better stop my rant on doing things that are bad for your health*Lights up a cigar , and downs a beer* Ahh now thats good hipocracy
To prevent it from spewing rotten eggs all over the neighbourhood ? Hmm, I'd really have to think about that.
In Soviet America the banks rob you!
possibility?
-The Royal Jugglist
...except that you're not.
There has been a vulnerability, but it was never an exploit because no one ever actually made an attack with it.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Was anybody surprised that some other bug was found in M$'s swiss cheese?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
"Ah, security through obscurity!
Unless you want to argue that Linux applications are inherently more secure, the main source of protection for Linux users is that it is not as common a target as Windows. All software has bugs, even open source.
Even Multics, which was designed to be secure and to run on hardware which supposedly was more secure had vulnerabilities. Just Google up the Air Force report on Multics holes."
Aha! Correct, you just hit the nerve of many Slashdotters, however, you are not completely right,
Maybe with Linux, but definately not with Firefox, critical/security-related bugs are dealt with quickly, and on a regular basis, granted, some seemingly critical Firefox bugs have sat in Bugzilla for a LONG time without being fixed, that is not the case with most of them, I am quite willing to say: Firefox has LESS bugs then Internet Explorer, even if it would appear the lack of problems comes from the fact Firefox is less used, I believe that is not the whole case.
[/rant]
And most ominously, it means that that company has control -- they could use their vendor lock-in to kill actual open standards (by not supporting them), create other proprietary standards to lock people in even more, and maybe even acquire enough power to get laws passed to legally require the use of their software! That would open the door to even more fun little horrors, the least of which would be taxing the use of the standard.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Security Update for Windows XP (KB123456) A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Extremely Critical update
Security Update for Windows XP (KB123456) A security issue has been identified that could allow an attacker to compromise your Windows-based system and gain control over it and subsequently gain full control of your mind. You can help protect yourself and your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
This looks pretty serious too:
http://www.securityfocus.com/news/10248
Why no headlines?
Remember... ZG9uJ3QgZm9yZ2V0IHRvIGRyaW5rIHlvdXIgb3ZhbHRpbmU=
But I use Mozilla... not IE. Snicker
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton.
I really, really agree. I remember the gold old days when McAfee was an excellent product and a lot closer to being actually free. Norton was always up and down, but used to be better. But for a long time, I've found them both really disappointing in both how much they miss and how many hassles and slowdowns they create.
TrendMicro products are great by comparison.
They also excel versus a lot of startups. A while back I tried a Panda anti-virus package (so I like to check different products, don't flame me for it). It was a fair/mediocre anti-virus product, not dramatically better or worse than Norton, for example.
But, I made the mistake of testing their firewall product that came with the install. I keep hoping for a software fireall that actual works without breaking everything or causing tons of hassles to use on client sites (but never have).
Anyway, my system started slowing down, hanging, and blue-screening at random. I thought I had a virus. I didn't have a virus. I had a firewall. After about 12 hours of hell, I eventually diagnosed the firewall as the source of the problems. What a piece of crap! Inspite of all of the anti-Microsoft retorhic, its pretty rare that I find anything remotely reputable that will consistenly bluescreen 2k or XP, excepting really crappy device drivers.
Anyway, that's sort of a tangent, but the point is that there is a lot of crappy AV software out there, and you're TrendMicro recommendation is excellent.
Oh, one other thing, has anyone else notices how many anti-virus programs no longer include a memory scan? What the heck is up with that? Why even bother trying to find and clean files on disk when there could be something in memory working against you. Especially since a lot of spyware isn't fair from a virus in action or effects, and so many anti-virus programs skimp on checking for spyware and adware installations, including old, common ones that really interfere with system usage.
...and patched the same day.
The difference between free software and the proprietary stuff: if you've got no plausible deniability over faults, you tend to own up to them quickly. Not quibble over whether it's a bug or not, or how critical it is. And you fix it.
If you really want to kill a long, rainy afternoon, buy Jeremy Allison some beers and ask him about the undocumented bugs the Samba team knows about in CIFS, but, because they're nice guys, they're not holding MSFT's feet to the fire over.
IHBT, IHL, HAND.
What part of "gestalt" don't you understand?
Clicky.
There are a few sites that provide the format. There's no visible text because all the text is compressed in CHM files. One of the many advantages over using raw HTML for your online help.
There's no visible text because all the text is compressed in CHM files.
Still doesn't answer why Microsoft didn't use a de facto standard data compression and container format such as PKZIP.
I have been using Firefox as my default browser for 6 months. I should have mentioned that in my post - but I guess I take for granted that self respecting slashdotters would not use IE :-)
Sophos saw the cached page even though the code was never going to be executed. I believe in a multi-layered defence - I count 5 between my filesystem and the net: firewall, http proxy (privoxy), a better browser (FF 1.0) running without admin privledges & anti-virus. All of these bits help.
Remember when the United States Computer Emergency Response Team (US CERT) recommended using against using Internet Explorer? When that happened Secunia issued a statement essentially defending IE, saying it's problems aren't that bad. I promptly fired off an email (mainly an angry rant) about "How can you say that? You of all people should know that using a different browser is a good idea! It's in your interest that your customers use IE and have troubles!"
I got an email back saying that there are always vulnerabilities in everything, CERT went over the top with their advisory.
Definitely go with Trend if you don't mind paying! The best free one I think is AVG (www.grisoft.com)
Switch? They're a strategic partner! Kind of like a regularly cheated on spouse (Viruses, anyone?), we hope they'll change so we don't have to leave them.