Slashdot Mirror
Extremely Critical IE6/SP2 Exploit Found
Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"
They've also posted a test site.
No, you click it first.
delete IE?
or maybe install Firefox?
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"
Get your own free personal location tracker
It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.
Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!
I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.
Pardon the technical terminology
With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.
I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.
What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).
All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?
Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.
although it requires a bit of messing around. IE - Tools - Options - Security.
select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.
select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.
This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.
Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.
Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.
Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.
I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)
I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:
. html/
http://www.sophos.com/virusinfo/analyses/expphela
EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.
This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.
Yeah, if your grandma hasn't spent at least $50 on third-party security software plus a yearly antivirus subscription fee, plus made sure to configure her firewall correctly and run virus and spyware scans weekly, plus made sure to create a restricted user account that she runs IE under, why then she has only herself to blame. Obviously Microsoft is doing everything in its power to protect her.
Actually, I would have said it was more like "Today terrorists have announced that they have armed an atomic bomb in the middle of Los Angeles. If it goes off, it may burn you!"
I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.
The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.
So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.
Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.
"Fool me once, shame on you. Fool me 621498 times, shame on me."
GWB said that, right?
I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?
Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test
that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'
Computer specs: iBook g3 800mhz...
I hope that helps a little
And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves. When you saw those precautions advised in the manufacturer's literature, would you buy the car?
_O_
.|< The named which can be named is not the true named
I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.
Launches the new IE window using cmd /c iexplore.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
In case anyone missed this, it was reported to Microsoft on 2004-10-13.
Three months later, no sign of a patch.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
That's right, Microsoft "we take security very seriously" Corporation has known about this vulnerability for almost two months, yet they leaved it unpatched? Why?
Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?
Warning: Opinions known to be heavily biased.