Slashdot Mirror
Several Critical MSIE Flaws Uncovered
An anonymous reader writes "Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
I'm stuck with an internal deveopment team making web apps (in .Net) that require IE.. And a bunch of users who will click on anything.
Although exploits were found in Firefox, they were patched rapidly. It's not standard on all our desktops.
I wish there was a "corporate" browser with minimal features to reduce exposure. Sort of like IE lite.
/me sips his coffee and ponders a new sig...
Marge: [on radio] Husband on murderous rampage. Send help. Over.
;)
Chief Wiggum: Whew, thank God that's over. I was worried for a little bit.
Ok, now where is mar karma?
Other Winggum quotes here.
Although eEyes' reports look a bit confusing (look at the "Vulerability is over" image at the bottom), I think according to this page http://www.eeye.com/html/research/upcoming/index.h tml there are 3 security vulnerabilities affecting IE and Outlook that allow remote code execution.
The oldest one is 60 days old now and still not fixed.
For the record, you can sign up to beta this product....I did, and if it's worth anything at all,...
According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.
You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.
In Secunia's own words:
Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.
I'll probably be modded down for this...
No, Mozilla uses an applications platform so that the developers can easily write cross-platform code. It's just that they also developed that platform, and it's also called Mozilla. Mozilla-the-browser (and also Firefox and Thunderbird) run on top of Mozilla-the-platform.
What a fool believes, he sees, no wise man has the power to reason away.
Sorry but I need to say this..
'Mozilla 1.0.3 vulnerabilities'
That would be Firefox 1.0.3.... Mozilla Suite aka just mozilla and FireFox are two separate programs and have very different versions. Saying Mozilla 1.0.3 is very misleading. Please use the correct name or it makes your news story look very silly. Who cares if a version of mozilla from 2002 has security holes.
</rant>
Belive in Technology and AMAZE yourself. -- RIP ZDTV/TechTV
Organizations want to schedule their downtime and the "Black Teusday" policy makes it easier for them to do that and keep good looking metrics. All the places I've worked at have a scheduled outage the second Friday of every month. This gives a few days to do test deployments of the patches before rolling them out to the enterprise. Metrics still look great because IT can say they deployed all critical patches in under three days.
He said Microsoft was alerted to the first vulnerability March 16.
That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.
Default install problem. Minimal user interaction.
According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.
http://windowssecrets.com/comp/050512/#story1
As of today, Secunia reports that there are still 19 unpatched security flaws in IE, the most severe of which is rated "highly critical." Firefox has only 4 unpatched flaws, all of which are rated "less critical" or "not critical," the lowest severity rating. Opera has none.
Oh. It's 19 now.
Sorry. You're right. Nothing for *you* to see here.
You are being MICROattacked, from various angles, in a SOFT manner.
I suspect I'm a repeat but here goes.
MSFT's integration of their web browser into everything has backfired. You can no longer just *issue* a fix because you'd affect thousands of production level computers. Most of you who patch your workstation think...oh, this security patch will fix xyz and that's that. But they really do need regression testing as I have seen first hand the clusterFSCK an untested patch can do.
It's much easier to patch a Linux workstation because even if they have a few insecure services or applications, due to the OS design it's difficult to break the functionality or compatibility.
Once on MSFT XP Home, a prevalent patch fix broke my cousin's HP laptop and no one knew what had happened. He couldn't use the laptop for more than 5 minutes before it froze up on him. Literally, no BSODs or anything, just froze up. Since he was busy he didn't send it in for repairs or ask me for help. Almost 2 years past by before I take a look at it and fix it in 30 minutes.
It took a BIOS patch to fix it.
Turns out one of MSFT's APM compatibility patches broke it.
Theo Raadt couldn't see it either, until Team Teso released an exploit for a remote root hole in OpenBSD caused by an untested single-line patch.
Just FYI: IE only starts faster because MS preloads it into memory at startup. To compare FF to IE on (more)equal footing, start FF and then try to open a new window. This is closer to how IE works on Windows.
Space for rent, inquire within
This seems akin to scheduling firefighter visits every two weeks, and if your house catches fire in the meantime, being told to wait it out.
Shouldn't it be more like finding a flaw in your house that might cause it to catch fire and not being able to get it fixed until weeks later? In the meantime, your house might catch on fire (or, as a comparison, your computer might become compromised).
most browser exploits are buffer overflows - giving wierd input. To combat that you have to add code (input checking), not change code.
Besides OSS like Firefox definitely has QA built into it.
You don't have to run the application to pre-load parts it it into memory. In fact, does't the whole windows shell share a lot of components with IE?
MS does the same thing with office to make it start faster.
I've never had a problem with Publisher 2003 needing systemroot access. If you're running older versions, you don't need to give them root access. All you need to do is give them write permission to the directory without replacing the permissions on the files within, that way nothing alter existing files. There's nothing special about systemroot other than it's a place many system files are stored.. let the user create new files there isn't going to comprimise security any more than letting them create new files somewhere else.
If you need web hosting, you could do worse than here
- Permissions -- If you download an executable file from the Internet, you must manually specify it is an executable before you can run it. The "click on attachment" or on the file downloaded from MSN scenario is prevented.
- Mimetypes -- Extensions are used as guidelines, but the content of the file is scanned to ensure the right program opens it. If a file is unrecognised or script, it will prompt to open in a text viewer. You can also feel free to remove the extension off all your files and they will open up in the right programs regardless. Faking extensions doesnt work.
- Less Automation -- For example Office files have various code and macros that can run on start that were exploitable numerous times.
- No user interraction automation -- There is typically no code in filetypes to automate user interraction. Sure there it is optional support for it in expert tools like vim (i.e. code in file header to fetch/format data), but it is disabled by default.
- No Registry -- Files are looked for in path, so exploits like changing path in registry are impossible. System clutter is also avoided by using configuration files that are only scanned by the software that needs them, not whenever a variable is required.
- Dynamic Library System -- Easy library updates without causing serious side effects or forcing software vendor to provide their own version of the same library (sometimes overwriting system's version!)
- Multiuser -- Multiuser support was forced into Windows with limited testing. It was part of the original design for *NIX.
- Superuser -- On GNU/Linux, programs get installed by the superuser or get installed to the home directory. Since the concept of an actual superuser is invalid on single user designs, many applications on Windows still assume write access to program-files and are given it. The day to day user is also the superuser on XP Pro and XP Home systems unless part of a network.
- Mature Networking (TCP/IP) -- Added to *NIX over a decade before making its way to Windows, so far more mature and tested.
Only when Windows get their shit together with the above, then I'll consider trying it in vmware again