Slashdot Mirror
IE Flaw Exposes Users To Spoof-Based Attacks
Sotos wrote to mention a C|Net article discussing a new spoof-based attack on Internet Explorer. From the article: " The problem lies in the way Microsoft has implemented a JavaScript component in its Web browser, security researcher Amit Klein wrote in a research document. Internet Explorer does not validate some data fields provided by a PC when the component, called XmlHttpRequest, is used, he wrote. The vulnerability could be exploited with specially crafted code. An attacker could spoof a legitimate Web site, access data from the Web browser's cache or stage a so-called man-in-the-middle attack, which taps into traffic between a user and another Web site, according to Klein's write-up. " Secunia has an alert up on the spoof.
XMLHttpRequest? Never heard of it.
Okay, now we spend time generating another 500+ comments discussing how shitty IE's security is and how Firefox isn't much better. Add the other browser users (Opera, Konqueror) and we get another 300+ comments. Throw in the fact that each cross-platform browser runs better in Linux/OSX/BSD, or is emulated better (hence, more secure) through Wine and we generate another 250+ comments.
Every security announcement is met with the same level of bickering without any resolution in sight. Goggle "Internet Explorer Firefox security comparison" and you get another 1.7 million opinions.
Will it ever end?
"Rocky Rococo, at your cervix!"
Same-source policy? Couldn't this only be used to attack the server that the script came from?
It is the thingy that powers AJAX
Wow, whoda thunk it?
Microsoft is unhappy about the way the problem was disclosed. The company urges security researchers to report problems in its products privately so it can provide a fix. "This public disclosure potentially puts computer users at risk," the Microsoft representative said.
Security through obscurity, yeah right. IMHO this just makes Microsoft get on the ball and do something about the problem rather than putting it on the back burner since "nobody would know about it."
If you give a liberal an enema, he'll turn transparent.
Am I wrong or haven't we seen this story before?
So, like, Spaceballs could compromise my boxen?
You are not the customer.
There should just be some sort of counter at the top of the /. page that shows how many vulnerabilities have been found in Windows for that week. Would save admins the time it takes to post the article and links and such.
Ok, sarcasm off.
I can't believe the firefox revolution is slowing...
Cue a flow of comments on how AJAX isn't secure/safe/etc. But we already knew that, didn't we? Personally, I'd be glad to see AJAX take this kind of hit. Keeping cross browser compatibility is hard enough as it is.
Maybe so, but each and every one of those 500 comments discussing IE's shitty security is more worthwhile than your pointless post.
I was being just a tad sarcastic.
"Yea, but it hasn't even been exploited yet! It doesn't count unless it's been exploited, right?"
"I bet there will be a fix out within 24 hours! Exploits don't count if they are fixed quickly, right?"
"I don't care if they find a thousand exploits; I still won't use IE!"
Oh, wait . . . I thought the article was about another Firefox exploit. Nevermind.
"Fully-patched computers running Windows XP with Service Pack 2 and Internet Explorer 6.0 are vulnerable to this issue, security monitoring company Secunia said in an advisory. Secunia rates the problem as "moderately critical" but says people can avoid the risk by not using Microsoft products anymore."
When will people get the message?
Firefox? I'm using Webwhale, which is much better!
XmlHttpRequest is the javascript object that allows for asynchronous communication between your web browser and a server located elsewhere on the internet, i.e. the first A in AJAX.
If it wouldn't be for MS, most IT web logs would shutdown.
:)
All the secuity articles guarantee readers and advertisers
putting the 'B' in LGBTQ+
I'll start with the securia site.
Internet Explorer: Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical...Currently, 20 out of 86 Secunia advisories, is marked as "Unpatched" in the Secunia database.
FireFox: Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical...Currently, 3 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.
"In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
The hackneyed saying; "Microsoft allowed people to use computers of which those people shouldn't be allowed NEAR a bloody computer".
Marvellous work on even further improving the signal-to-noise ratio there
Hey, mod interesting. I actually found that link to be useful.
Sierra Tango Foxtrot Uniform
But if we don't use Microsoft products, how will we be able to access the internet? *confused* :)
AJAX = abrasive cleaner. Good name for this technology, alright!
EricMaking Google richer (summary of U. Vazirani's talk at UW)
I thought that chlorine and an abrasive powder (pumice?) powered Ajax.
It's transparent, you just haven't seen it before.
The fundemental premise of your post is correct - no one flaw proves a browser is "better" than another browser, and flamewars ensue from these flawed comparisons. Nevertheless, there is an underlying problem with IE: ActiveX. This is yet another example of how Microsoft, wanting to "kill" a more open product (Java), has introduced it's own, flawed, "standard" which causes its own problems. In this case, ActiveX is not secure and cannot be made reasonably secure, and this is the problem many of us have with IE.
Using plain ol' text since 1968
I think that the only reason post like this one garner so much discussion is because the web browser has become (arguably) the most important program on the PC. Not only is it used for certain parts of the operating system, but I'm willing to bet my reputation that almost everyone in those 1000+ comments are using one of the browsers being discussed to discuss.
Until the web browser evolves or is replaced, this kind of conversation is unavoidable.
Another day, another browser exploit. When will the madness end? On a side note, TGIF!
Bleach?
(I really do wish it was completely a joke)
Free Software: Like love, it grows best when given away.
There's no chance a spoof attack would ever wo.df&^3478adf@$%%
/*User dead*/
.. Amit Klein wrote? Unknown, because one article mentioned in the summary contradict other. C|Net's one talks about JavaScript component but Secunia says that vulnerability was discovered in Microsoft.XMLHTTP ActiveX control.
I have to admit that I don't have much experience with IE, but is it really required to use ActiveX to use XMLHTTPRequest in IE? Somehow I got an impression that JavaScript is all that is required... (or ActiveX is used under the hood?)
Hahaha, I figured as much but it was worth it taking the time.
Slashdot is proof that Sturgeon's Law applies to mankind.
Anyone who doesn't know about Firesomething by now must be living in a cave, besides it gets old real quick.
Should be another quiet weekend in Redmond while Microsoft fixes this one.
Will SP3 , already on its way, fix this flaw?
Most certainly not. Look through what's included in this service pack (don't mind the ads at top...)
Personally as a ASP and Java/JSP developer I don't think that the request/response/session objects will EVER be secure. Sure you can code it to the best of your ability and most secure as you can get, but there will always be a way especially with MS's seemingly low scale way it handles these objects in IE.
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
http://www.cgisecurity.com/lib/XmlHTTPRequest.shtm l
Active Ingredient: Triclosan
Other Ingredients: Water, Magnesium and/or Sodium Dodecylbenzenesulfaonate, ammoniym laureth sulfate, Sodium xylenessulfonate, SD alcohol 3-A, Laurel polyglucose, Laurylamidoproptlamine oxide, Magnesium sulfate, Sodium bisulfate, fragrance, Prntasodium pentetate, DNDN Hydantoine, D&C Orange No 4.
See, see, Triclosan is what powers AJAX!
Unstable Apps: Our Android Apps Don't Suck
I use IE only when a page won't open/display/work correctly in Firefox. So I already know (AFAICT) that the page I'm viewing is "really" the page I think it is. I wish there were a plugin that added an "Open Link in IE" context menu item. And even better to somehow add a "Return to Firefox" option that opens a link or reopens a page from IE to Firefox, to get back to Earth from Purgatory.
--
make install -not war
After recently working with the Mozilla codebase, I'm surprised that flaws aren't found more often. To be honest, it's a very complex beast. Perhaps overly complex. The worst part, however, is the outdated documentation. It displays the sort of attributes that often lead to bugs and security flaws.
Now, what really interests me is in how horrible the quality of the Internet Explorer code must be for it to run into so many problems. Considering how unappealing Mozilla was, I can't even begin to imagine how absolutely terrible the IE codebase is.
Perhaps somebody with experience with both could, assuming NDAs don't get in the way, describe how the quality of the two codebases compare.
Cyric Zndovzny at your service.
You must be new here.
This is why I have my mom running Firefox on windows, and for those who will say FF has vulns, yes, they do, but with the 'auto-updating' option on 1.5 it will change that view. No one (save for us geeks) want to reinstall software all the time; most of the time if it works, they're not going to upgrade. 1.5 will 'auto-update' the bits to keep the browser secure, and I'm sure it will continue to while the browser moves to 1.6 and beyond.
fak3r.com
The yet to be released IE 7.0 has a lot of features. Majority of them stolen from firefox. And it was amusing to see that it looked just like firefox in appearance.
Linux Help
for all things on Linux
Sorry, the echo in hear made it difficult to understand you. Could you repeat?
/.
And I don't have time to browse Firefox's thousands of extensions. I barely have enough time to scan
The problem is with the proxy servers, not IE.
Read the paper
Yawn...
What is IE? Does it run on Linux? I hear a lot about it, but I can't find it in any of the debian repositories.
I rate this flaw '-1 Redundant'.
We'd save a lot of comments if we avoided making comments on how many comments we'll have, avoided making comments about comments about the number of comments, and mostly importantly, avoided comments saying how much less comments there would be if the previous two comment types were avoided. Ermmm...
On a more serious note, just because posts like this usually devolve into a browser flamewar, I can say that personally as a web developer, news posts about browser exploits are some of the most important to me.
"Excellence in Mediocrity"
Extension for Open in IE
Opera, I understand, has similiar functionality available.
Never confuse volume with power.
What?! Again?! I thought IE rox0red!!
JavaScript... in Internet Explorer?
:p
Don't you mean "Jscript" ?
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I personally prefer Launchy it allows you to launch all kinds of apps and even auto-detects many popular apps on Windows.
XmlHttpRequest is a for client-side script to submit an http request and receive the results as XML or text. It's pretty cool because you can make a web page behave like a little client-server app, eliminating the need for page refreshes and session state maintenance. The name AJAX was made up recently, but the technique has been around for years, ever since IE4. Microsoft implemented it as an ActiveX object, but Mozilla now supports it natively.
Your comment made me laugh, in a sad way; there are people who haven't even heard about FireFox, let alone there are extentions!
I think it's time to do something more productive with your life when you come to a point where you find it a flaw when someone doesn't know a certain extention.
IE is flawed?
I don't believe it!!!!
"Mozilla/FireFox
===============
I focused mainly on IE (tested IE 6.0 and 6.0 SP2), so I don't have a lot of results on Mozilla/FireFox. I suspect it is vulnerable to the same technique, possibly even more so since I suspect it allows SP in the method parameter."
This is potentially not only an IE exploit.......
Grah... was supposed tp be:
fir<st>po</st>
But it wasn't first post anyway.
*shoots self*
Skype is too convoluted... Now I'm reverse-engineering the Kyoto Protocol.
Is this perchance related to the patch Microsoft pulled this month - the "Critical" (their rating) IE patch that MS announced, then decided it needed more testing?
Whenever I see fairly coincidental timing regarding related subjects, it makes me wonder if they're really coincidental.
#DeleteChrome
Living in a cave... or maybe using a better browser.
HAHAHAH!! TRUE DAT!
Run your Windows command prompt. Then type the following: del *.*
If there was a mod for: "-1 Sarcasm Detector Broken", you'd get it for sure!
Surely that should be Firewhale?
Spoofing, to me, seems intrisically a social engineering attack, not so much a flaw in the application.
Designing applications (be it Internet Explorer, Mozilla/Firefox, Safari, Opera, etc.) can only provide ways to make identifying spoofs easier, reducing the risks. But I contend applications can never nail every thing down so tightly, considering the wide range of sites users could visit. If your design requirement is "The most foolish user must never be fooled by the most clever phisher anywhere, ever, in the future, too. amen." then you better get a different boss.
That being the case, why not go the route that the conventional mail system has adopted? There are extra heavy penalties for using the mails to defraud.
Kind of like using a gun in a holdup -- there are extra penalties associated with using certain tools for evil. [No, not for tool possession, nor even for using a tool - just for using a tool for evil.]
Likewise, criminal prosecution of spoofers should be aided by legislation that makes it extra double bad if they use the public Internet as an aid in the commission of their crime.
"Provided by the management for your protection."
1) Yes, XMLHTTPRequest is that thingy that powers AJAX.
2) AJAX is that thing that's making it possible to write responsive, platform-independant, server-based apps.
3) Responsive, platform-independant, server-based apps are those things that are threatening Microsoft's deathgrip on the desktop.
4) [Apply tinfoil hat if needed] So... perhaps Microsoft inserts a dangerous bug in their XMLHTTPRequest implementation, so that
5) Microsoft must deploy a security fix that CRIPPLES or limits AJAX...? And
6) Profit!!
Hmm.... the mystery unfolds. It's a little wacky, I'll admit, but keep your hats on until you see if anything breaks when the "fix" is deployed. This is fun!
And your Social Security number is:
103-56-2245
Your mother's maiden name is:
Greene
Your Visa Card number is:
4364-3343-1203-3096 (exp. 10, 2006)
Sometimes security through obscurity isn't necessarily a bad thing -- it isn't always the case that just because an exploit exists, that it necessarily should be publicized.
Here's what I do: Bitty Browser & Andromeda
It's 5:13PM here, and after a lot of posts, I haven't noticed much flaming going around. Perhaps we've come to the terms where "IE vulnerability found" isn't news anymore. On the other hand, finding a Firefox vulnerability _IS_ news, and makes it a more fertile environment for flamewars.
Not in IE, it's not.
So... What else is new?
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
if you look at the endless list of cases when a vulnerability researcher reported a flaw to Microsoft only to have the issue swept under the rug for a half year, then the immediate full public disclosure is the only method which works when dealing with that kind of company.
"That kind of company", eh? I see.
What's wrong with notifying Microsoft about the flaw immediately, explaining that you will be making a full public release in 3 weeks? That gives them time to make a patch, release it, and hopefully a lot of actual users will be able to apply the patch before exploits are widespread.
Am I missing something? This seems so blazingly obvious. Maybe our goals are different?
One possible goal is to protect users, by encouraging Microsoft to publish a fix ASAP, preferably *before* black hats figure out the vulnerability and exploit it. When you notify MS secretly beforehand, they can either look irresponsible and uncaring (if they don't patch it before you announce it as promised) or they can work with you and do what they're supposed to, and you save lots of users lots of trouble.
Another possible goal is to harm Microsoft in any way possible, because they are evil. This include intentionally publishing exploits without giving MS any chance to issue a patch, thus ensuring maximum possible exposure and damage to users, who will presumably stop giving MS money once they have been harmed enough. The only better option for this goal would be to release the exploit secretly only to black hats (and NOT publically)... but of course that would make you a black hat yourself, as opposed to just a dirty gray.
Ive been a long time reader, short time poster and one thing ive noticed is that people like to bash security issues with IE, but never come up with a solution to NOT using ActiveX... There is a reason why so many HAVE to use Internet Explorer, simply to use services by companies. IF these companies wouldnt use ActiveX components, the security risks would be trivial. I would say about 80% or more of my clients require IE to access services online. Flash is a good solution, but can do the client sides things ActiveX can do, and Java is slow and ugly, people just dont like it.
are you subscribed to Sloshdat? Get a life man.
Oh well, what the hell...
"Firefox is more vulnerable than IE" sais Symantec.
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
e w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}/ /www.google.com', false);
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=n
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
e w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}/ /www.google.com', false);
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
<?
readfile($_GET['url'])
?>
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=n
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
...is that stories like this could be duplicates, and you'd never know it.