Slashdot Mirror
IE Vulnerable to Cross-Browser Spyware Attack
An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.
Oh, well, it's no problem then. It's not like anybody uses THAT...
IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.
Guy asked me for a quarter for a cup of coffee. So I bit him.
So by using a browser that this exploit is not aimed at will infect part of the operating system your trying to get away from because everything is so integrated with no end user control.
How is this bad for firefox? If anything its a big black eye for MS and integrating IE into the OS.
Why don't they just put a skill and crossbones in the alert. Or do they?
Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.
I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.
You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).
It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
Even on the Mac, where you're prompted to enter your username and password to grant temporary root access for an installer. What's to stop an application putting up its own fake security dialog during the install, thereby bypassing the built-in Mac security dialog? It's not like it's impossible to fake that dialog, then not only can the application have root access to do whatever it needs to, but it can also save your username and password to re-use later or send to a third party for a bit of remote fun.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Konqueror asks permission for every single file an applet modifies. Although a good idea, in practice this is so annoying I had to turn it off.
I am trolling
Except if you were running Linux, and a permission box came up and said "do we have authorization to access your machine" and you blindly clicked yes - then would you consider it a security flaw of linux? I would consider it more of a social engineering tactic- not a highly sophistacted one - but one that works none-the-less.
I mod down so you can mod up. Your welcome.
It looks like an exploit I happened to discover only about two and a half weeks ago while running Windows XP-sp2-blabla under emulation. The recconisable part is being able to get 'spyware' (in the test, just a dummy cookie) through Firefox and into IE. A few people were told this and repeated it. It should be made VERY clear that Sun Java is NOT needed (MS has every reason to FUD Sun) and its not Mozilla at fault, but the fact that IE cannot yet be 'de-installed'. The advised solution is for _someone_ to develop a full de-installer for IE. Nobody I know gives a flying f* for MS, but getting a practical de-installer out for IE is the slap-in-the-face MS has coming!
In the meantime watch out for FUD. MS will say Sun and Mozilla are bad and IE is good. You never say in business: "I told you so", but MS will. WATCH
OUT! As usual there is a spin on this that seems to favour Microsoft. Don't buy it.
There are some 'unfixable' bugs in all Windows and MS products due to the "I want to be different factor". Being able to completely remove IE (use Firefox, Opera, etc.) would go a long way in reducing the threat. Removing "Media Player" (use mplayer) would help a little more. The real truth however is that Windows is flawed by design and can never be fixed in an acceptable way.
If you are unfortunate enough to be using Windows, please look at the track record, including all the lies you've been told and make an informed decision. Get Solaris 10 if you wish, I'll stick with FreeBSD. Linux has a range of distros that range from 'true hardcore' to 'clickity-click' and even have a dual boot. Sooner or later, you are going to have to make the transition. You decide when.
Those are the JRE runtime warning boxes and have little to do with Firefox itself. Never mind, the top story is FUD.
I could not agree more. All these users complain about virus's and spyware, but yet somehow I never get them. Its called "Responsible computing". Virus's and Spyware will always exist and continue to reak havoc regardless of operating system/browsers as long as there are people that are stupid enough to click "Yes" to install on all security warning and install software from untrusted sources. I don't feel sorry for alot of these users because they just arent paying attention. When in doubt, don't install it.
I always make the user type "VERIFY" into an entry field for any potentially disasterous action.
Hard for them to say they didn't see it.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
...because the following month a user's default actions will be: - notice that dialog pops up. - check that checkbox without which websites seem not to work correctly. - click OK.
Well, from the company I work at, I can say with certainty (at least in my own world) that it won't do any good.
We have a word document that takes an export from another program, formats it, then displays financial info about the export. In order to do this correctly, several things were put into place:
1. We have 5(!) dialog boxes to have people confirm information in the export.
2. If the information doesn't match, the formatting fails.
What we found out is that after a few times of not reading the dialog boxes and slowly clicking the verified buttons, they start not reading the dialog boxes, and click the verified buttons as fast as possible. They then, in both cases, ask me why it didn't work.
What makes this interesting to me, is that running this Word document is actually a sizable portion of their job, and I can tell them what's wrong just on exactly what happened. And the reply is always "I didn't know..."
Problems are like gifts, it's better to give than to receive
Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)
I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.
Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.
I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.
So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.
You can't fix a behavioural problem with a technological solution.
Even if one option was "transfer your bank account contents to an unidentified account in Nigeria" some people would still choose it.
/. worthy nerd would have choosen that option, if only to see what happened...
Any
...and then warned the user specifically to NOT say yes. The idiot said yes anyway.
I think there's a bigger problem with users getting "trained" to click "ok" or "yes" on all sorts of dialog boxes without understanding why the dialog box appeared or what the consequences are. Like when we "techies" casually say "Oh, yeah, just click ok on that one".
Part of the reason, imho, is that dialog boxes are abused. I think software authors and especially Microsoft should try to think much harder about dialog boxes, especially when to use them and how to present them. For one, include a "if you are unsure, do X" (like the Linux kernel config menu, very good example). I think that would help users to not just "I don't want to do anything wrong, so I'll click Yes".
Web browsers should also have visually different windows for popups and similar, so that casual users could have an easier time distinguising between real dialogs and "copycat" ads.
Just my thoughts on the issue.
Correct, the good apps come in a single bundle which you drag over... but enough Mac users have experienced the ones which DO require extra priveleges and are familiar with entering their username and password for these, for occasional OS X updates, etc. So another random installer asking for it doesn't raise too many red flags. I think Mac users would be susceptible to this almost the same as a Windows user running a trojaned EXE file.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
"IE Vulnerable..." instead of "Firefox Exploit..."
The former is hardly newsworthy. The latter is more accurate and constructive.
I'm as frustrated with MSFT as the next guy, but honestly...
Actually it's pretty easy to do a basic level of "sandboxing" that will stop most - if not all - current malware in its tracks. Just "Run As" IE as a limited user account. Under unix, just su to a user with very limited filesystem permissions before running your browser.