Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Vulnerable to Cross-Browser Spyware Attack

Posted by timothy on from the if-you-must-run-windows-remove-ie dept.

An anonymous reader writes "The Register reports that Firefox can be used to infect IE on Windows. By visiting a malicious site with Firefox, a user can infect their install of Internet Explorer. Other alternative browers may expose the same vulnerability. The article quotes the CTO of ScanSafe as saying that '[j]ust switching away from IE does not give adequate projection. Now that Firefox and other alternative browsers have a toehold in the market the hacking community will get busy exploiting the vulnerabilities that exist in any complex browser.'" VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

7 of 619 comments (clear)

  1. No problem. by rackhamh · · Score: 4, Interesting

    VitalSecurity's report points out that this vulnerability can (only) affect Windows users who use Sun's Java Runtime Environment.

    Oh, well, it's no problem then. It's not like anybody uses THAT...

  2. This can already happen by tehshen · · Score: 5, Interesting

    IE can already be infected by plugins and downloads from other browsers. My sister (whom I have confined to Firefox) likes to play those goddamn Neopets games, which require Shockwave. After installing it, the Yahoo! toolbar had managed to place itself into IE somehow, even when IE hadn't been used for months.

    --
    Guy asked me for a quarter for a cup of coffee. So I bit him.
  3. Time for a new security model by GCP · · Score: 4, Interesting

    Ironic that Java, famous for its sandbox, seems to be the door through which this intruder enters.

    I keep wondering if it wouldn't be better to have something like VMWare a standard part of a consumer OS. You would intantiate a VMWare-type virtual machine, preloaded with your Web browser, email client, etc., for all external communications. You would leave your "real machine" with no Net connection, but use it for other tasks that didn't need a live Net connection. Attacks from the outside would have no way to damage anything other than a virtual machine. If it got screwed up or infected, even by your kids playing with it and saying "Yes" to download offers, you'd just delete it and instantiate a new one.

    You'd be able to reach from the real machine into one of the VMs and retrieve a file that you were satisfied was safe, but there would be no way for a VM to export (VMWare is like this). There would be occasions when fetching an infected file would infect your real machine, but the overall incidence of external damage should be significantly reduced by this approach and recovery from screwups would be quick and easy (at a cost of performance for activities done from a VM).

    It's just a thought, but it seems as though this would just be an extension of the Unix notion of having root power but doing most of your work from a non-root account just to be safe.

    --
    "Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
  4. Re:Caveat by nacturation · · Score: 4, Interesting

    Even on the Mac, where you're prompted to enter your username and password to grant temporary root access for an installer. What's to stop an application putting up its own fake security dialog during the install, thereby bypassing the built-in Mac security dialog? It's not like it's impossible to fake that dialog, then not only can the application have root access to do whatever it needs to, but it can also save your username and password to re-use later or send to a third party for a bit of remote fun.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  5. Re:who fixes it? by m50d · · Score: 4, Interesting

    Konqueror asks permission for every single file an applet modifies. Although a good idea, in practice this is so annoying I had to turn it off.

    --
    I am trolling
  6. Re:Caveat by RetroGeek · · Score: 5, Interesting

    I always make the user type "VERIFY" into an entry field for any potentially disasterous action.

    Hard for them to say they didn't see it.

    --

    - - - - - - - - - - -
    I am a programmer. I am paid to produce syntax not grammar. Deal with it.
  7. This reminds me of Japanese Cars.. by schon · · Score: 4, Interesting

    Most (all?) Japanese cars have a "feature" that the door won't lock unless you're holding the handle up (open, whatever.)

    I heard that this was a measure to prevent people from locking their keys in their car. The Japanese car manufacturers decided that if people have to lock the door, then hold the handle in the open position as they close the door, it will prevent them from accidentally locking their keys in the car.

    Sounds nice in theory... until the day I locked the keys in my Civic. It was then that I noticed that because I couldn't lock the car door without holding up the handle, that I had gotten into the habit of *always* holding up the handle while closing the door, even when I didn't want to lock it.

    I've known a lot of people who have locked their keys in their Japanese car, they told me the same thing.

    So, instead of being a mechanism to prevent people from accidentally locking their keys in their car, it was instead a mechanism to train people to hold their door handle up when closing the car door.

    You can't fix a behavioural problem with a technological solution.