Slashdot Mirror
Extremely Critical IE6/SP2 Exploit Found
Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
They've also posted a test site.
No, you click it first.
delete IE?
or maybe install Firefox?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.
The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.
Even a fully patched sp2 is in danger. Good news for Firefox fanboys?
One would assume that any vulerability that could run arbitary code would be able to delete files.
We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"
Get your own free personal location tracker
Well, you've been lucky, one of these days you are going to run afoul of one of the more dangerous internets.
This post is both insightful and flamebait at the same time. I love how objective people are(n't.)
It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.
Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!
I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
it's an IE feature.
Pardon the technical terminology
With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.
I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.
#!/microsoft/bash
After today's pro-Microsoft articles, its about time we got back to bashing!
You know what? I'll just stop using the internet. I'll just .................
What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).
All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?
Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.
although it requires a bit of messing around. IE - Tools - Options - Security.
select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.
select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.
This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.
Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.
Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.
Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.
.hlp file parsing program. The vulnerability is forged from a decoding error within the .hlp header. A perpetrator can exploit the flaw by triggering a heap-based buffer overflow."p /11778_3452081
Not since December 27 2004, anyway...
"XFocus also reported a hole in winhlp32.exe, the Windows
http://www.esecurityplanet.com/patches/article.ph
"I've got more toys than Teruhisa Kitahara."
I believe there are now exploits in the wild, or exploits poised to get out in the wild -- which is why the rating was increased.
Having a vulnerability is like having a broken lock on a window. An exploit of that vulnerability is a burgular who is going around your neighborhood using windows as the entry point. In my opinion, exploits are a more serious concern than the vulnerability itself and warrant the increased amount of news on the topic.
Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.
Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.
I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:
. html/
http://www.sophos.com/virusinfo/analyses/expphela
EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.
This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
/hug Browsers-other-than-IE
/hug Linux
/hug FreeBSD
/hug OpenBSD
/hug NetBSD
/hug All-the-other-BSDs
/hug All-OSes-and-architectures-that-are-not-windows-on -x86
As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."
``Secondly, why in the HELL is anyone using HTML files for help documents?''
Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.
And for the record: HTML is completely secure. It's just data that gets rendered. Security holes are always either in the code that processes the HTML (which is a problem with that code, not with HTML) or in extensions (which is a problem with the extension and the program that uses the extension).
Please correct me if I got my facts wrong.
I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.
The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.
So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.
Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.
I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?
Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test
that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'
Computer specs: iBook g3 800mhz...
I hope that helps a little
Thanks for the description.And that is exactly what I'd like to know.
It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.
I did get a bunch of Ubuntu CDs while their free and give those out to anyone that is interested in Linux. Especially after I answer the question, "How do you deal with it?" with "I don't. I use Linux."
is to disable ActiveX
Vulnerabilities do exist. I installed 15 patches on a pair of new 2003 servers yesterday. Only 2 of these were IE patches.
http://www.starnix.com/banks-n-browsers.html VERY comprehensive list of banks who will work with Linux -- which is basically the same thing. If you're browser agnostic, the OS shouldn't be a deal.
...this unpatched XP laptop is not vulernable to the exploit.
Guess it isn't as extremely critical as they say.
I am very small, utmostly microscopic.
I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
In case anyone missed this, it was reported to Microsoft on 2004-10-13.
Three months later, no sign of a patch.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.
I'll probably be modded down for this...
...(reported to Microsoft on 2004-10-13).
That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.
This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.
AVG Antivirus.
I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.
If you'd like to see it in action, go to Trendmicro.com/download and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.
This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.
~Will
sig?
I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.
It's not offtopic, dumbass. It's orthogonal.
I've decided to try Anti-Vir (free-av.com) for a while, I heard good comments from other people too about this one. At least it seems to work fine with thunderbird too.
But the main point of my original comment was that McAfee decided to use Internet Explorer itself, one of the main sources of leaks and infections, as part of their own anti-virus product!
This must be the result of someone having some serious brain damage over at McAfee's.
Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?
Warning: Opinions known to be heavily biased.
As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).
Only if your default is to not have SP2 installed. RTFA.
Since Microsoft recommended everyone upgrade to SP2, and since SP2 INTRODUCED the vulnerability, I'd say your system isn't "default", and most people, by default, are vulnerable.
"Linux zealots", indeed.
Kythe
The code for the web page is designed to specifically target Windows XP SP2. The code modification required to make it target multiple versions of Windows is trivial.
AVG Personal Edition
DJ kRYPT's Free MP3s!
http://www.people.virginia.edu/~pg8p/
It downloads firefox, and begins the installation -- that's it.
I could've very easily move iexplore.exe and adjusted icons and everything, but let's play this the white hat way. Enjoy amigos!
It's either critical or it isn't. "Extremely" is redundant.
That's pretty amusing. A virus scanner that relies on a component that may be a vector for viruses and trojans, and a known vector for spyware.
Embedding IE is simple for the programmer, but the security settings are so confusing for the user that it's possible to inadvertantly tighten security too much for local applications, which causes the errors that you speak of. After the existence of security holes themselves, I think the next worst part about IE is its incredibly confusing set of security settings, especially on the Group Policy side. It's difficult to secure something when you don't understand how its security works.