Slashdot Mirror
Zero-Day IE Exploit Takes Control of PCs
anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."
I use Firefox.
How about I "work around it" by not using IE?
Easy fix...Firefox http://www.mozilla.org/products/firefox/
Remember when web browsers were just for viewing HTML pages, and not as a platform agnostic instant-rollout applications platform?
Yeah, me neither.
Wow. Everyone must have had their computers infected by a virus that utilizes the exploit.
----- You know you have ego issues when you register a domain in your name.
I use Opera.
From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.
Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!
GetOuttaMySpace - The Anti-Social Network
To just not use Internet Explorer?
Someone tell the MS apologists two threads down, please :)
Microsoft's total time of 0wnerzship continues to decrease.
Its important for MS to keep ahead in this area.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Seriously. I know that IE's market share is still huge, but for the life of me I can't understand why.
The smartest man in the whole, wide world really don't know that much. - Mose Allison
Ah, the Firefox of Opera - who is that, Pavarotti?
I use netcat.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
You mean unless I get with the program and use Firefox, I can't browse questionable free porn sites until this gets fixed?! Well, perhaps this is a good thing. If anything can get me over my inertia against change, it will be threat of no 'self-amusement' on these lonely, chilly northern nights. Firefox, here I come!
No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!
Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.
Never email donotemail@WeAreSpammers.com
Now that you've read the comments, your Windows box belongs to OSTG. Please stand by while we load Linux.........
This sig isn't original enough, it's time to come up with something witty...
Well, there might be no customer impact at this time, but seeing as the exploit is published now, can I ask you again in about 5 minutes?
Drag n' Drop DVD Recommendations
The sun has risen this morning, and the Earth is rotating around its axis.
Nothing to see here - move along.
Make even shorter URLs - 8LN.org
I don't browse the web.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
I have a dual boot system:
1. Windows for games and the occasional Windows-only software. Nothing sensitive there. Rootkit me all you want.
2. Linux for the serious stuff.
Everyone should do the same.
/evil on
/evil off
That'd be SO funny
Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
The sure way to prevent IE from causing trouble is to set an ACL on the executable. If you remove or overwrite the executable, some sort of "helpful" feature may restore it.
Set access to deny permission to "everybody". Since "everybody" is special, that prevents even the admin from doing anything.
(then, of course, you use firefox)
On story like this, we need the facts, period. No hype, rhetoric or personal opinions. Only the facts please, because I know members are going to tout the "other browser" as the safer one.
Now, mod me whatever you want, but the info you provide should be FACTS.
I just tried to run the POC on a 1.5rc2 Firefox install - crashed it to hell...
The key thing here is not to use IE. That seems to come up a lot, wonder if that is a hint that a multibillion dollar company with an army of programmers can't manage to write a good browser while an open source browser has had less problems, but by no means no problems just not problems that let people take control of your computer thats all.
This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"...
you won't be able to implement Microsoft's great new idea.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
The original article and the Slashdot headline are wrong. It's not a "zero-day exploit." The article itself says, "The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw." A zero-day exploit is one that is discovered or revealed the day software becomes available, be it brand-new software, an update, a patch, or a service pack.
Wordnik, a dictionary project which aims to collect
Exactly.. And could you convince them to up the monitor's refresh rate from the mininum to something that won't kill this poor student's eyes?
A Good Troll is better than a Bad Human.
not when the code maintainer was notified of it. Basically, M$ says "oh, here's a bug" then whammo, an exploit. Still sucks to be them...
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
Okay, dumbass. Nice try at getting a couple of dollars out of a few people. Perhaps you could have linked to the real website instead of being stupid about it.
This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"... Well at least Microsoft is shown in studies to have far less serious bugs, and therefor require less patches.
Haha, low priority...
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1790
"Phase: Assigned (20050601)"
IE hackers too busy trying to play catch up with firefox to fix non-critical bugs, maybe?
The good thing of all this is that since Microsoft only releases security patches on thursday - you know, "admins want predictability" and all that shit that some companies use and that lots of shitty admins believe - so you have a full week as minimum to exploit this on your web pages. Enjoy, IE users!
Comment removed based on user account deletion
So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?
Will DOS Firefox. Not as bad as an exploit but they have issues to fix as well.
users do, but they're much further down the food chain
Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.
we'll get the usual set of arguments about browser and OS supremacy.
If something has fewer security problems, isn't it "superior" in that respect?
If you can't trust Lynx to be secure, then really nothing is secure.
Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.
What an inane comment.
Oh, wait... it just seems that way. Carry on...
What, no link?
Here you can test an exploit on IE: http://www.computerterrorism.com/research/ie/poc.h tm
--
http://tvilda.stilius.net/
Just when I'm considering using more AJAX stuff on my web site, along comes another in a long line of Javascript vulnerabilities. Maybe it's not time to do AJAX. Or to make it lock out IE browsers.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
...one more study to show us how much more secure Windows is vs. Linux. Notice how the announcement of those studies never coincides with the announcement of a critical IE or RPC exploit?
I don’t have to worry about JavaScript exploits because I use the new super safe IE7! It utilizes Microsoft’s super new language, JScript! Download this super new web browser today and keep your Windows safe from all those evil hackers*!
*and other assorted open source terrorists
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
IE? I don't have that; I use Windows.
[an error occurred while processing this sig]
The holidays are a time for giving.
Now that you've RTFA, and you are now looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.
Happy Holidays!
- Donny was a good bowler, and a good man.
Computer Terrorism Ltd. published the proof of concept code on Monday. Their example even seems to hang my copy of Firefox.
On another point, why doesn't Microsoft default windows to some better refreh rate. Surely there's ways to determine what refresh rates the monitor accepts when you install the OS. If you can see this, click ok, works pretty well in most situations.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
"There is no patch,"
Am I wrong in guessing that, had this been a Firefox exploit, this particular phase would have been worded more generously? Say, "There is no patch yet"?
I mean, surely something as severe as a JavaScript hack will be as high on Microsoft's list of priorities as it would be on the Mozilla team's...
They must have hated the press Firefox received over it's first security issues. "No one takes over our exploit vulnerability market! This is MY HOUSE, bee-otch!!!"
My Powerbook and Linux server look better every day.
Ignore anything I said above, I actually agree with everything you believe - mod accordingly.
Too bad it's multifile, or else we could even make it self-propagate...
you can work around it by disabling javascript
or by using firefox instead of IE!
"ghost in the machine"
I am pretty sure MS anti-spyware will stop this from launching
He who knows best knows how little he knows. - Thomas Jefferson
When I first came across the lynxcgi: settings in lynx.cfg, I was amazed such a "feature" even existed. IMHO, if you get screwed over because you had lynxcgi enabled, you deserve what you get.
Yes, for most it may be extremely easy. But in case you haven't had to do it for some time:
...Shamelessly stolen from here.
To disable JavaScript in IE, click Tools, Internet Options and choose the Security tab. Click the Internet icon, click the Default Level button, and move the slider to High.
Stay strong guys!
Don't let anyone or anything stop you from running IE. It's part of your identity.
The security nightmare of surfing with IE is a small price to pay for keeping up your image as a "Microsoft Guy"
...There would already be a fix available for it.
Technoli
Something tells me Sony is involved in this exploit.
Isn't Google's master plan to take over the world dependent upon people using AJAX? If IE has a critical flaw using javascript, and everyone has to turn it off, then nobody will be able to use Google's new products and... Hey wait a minute.
Best. Comment. Ever. Enjoy!
Windows has yet another "Open doors day - everyone warmly welcome" day! Jesus Christ, why do we let this happen?
Windows is actually quite an open OS, you just have to work for it a bit more :) But you can pretty much bend it to your will.
Sehr geehrter Toilettenbenutzer!
This story (I suppose is true) shows how important is that things like the browser or the operating system should be opensource! ...
None is perfect and (software) mistakes are very common among Humans! At Microsoft have practiced a lot this.
But with an opensource Javascript engine this damned bug could be fixed in few hours.
We can bet it will take a couple of days just to see the announcement in the Microsoft site and a full week for a real fix. And related side bugs. That in turn will take more time for fixes and side bugs
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I am thankful, in light of this article, for Firefox.
I am thankful that I am smart enough to not have used IE for over a year.
I am thankful that I have convinced my wife and my parents to also use Firefox as well.
I am thankful that things like these keep happening to IE, but only with respect to the fact that it might make those last few businesses that I deal with (re: bank) to modify their pages to support non-IE browsers.
I am thankful for retaining the hope that there are still intelligent people out there.
And they said zombies weren't real!
If a user isn't using IE as their primary browser and someone sends a malicious page via email and it is opened within Outlook will it make a call to IE and still run the exploit? I would think yes.
News Reporters Make Tasty Polar Bear Treats!
The same exact thing *could* happen to firefox. Maybe only on windows, but still... running under your username even in linux an exploit could seriously fuck with your ~/.
I'm waiting for the Sony rootkit exploit that only destroys vaio machines running windows.
It's only a matter of time folks. Many rootkit-infected CDs will be floating around out there for years to come. Somebody somewhere ought to nail 'em. Maybe not wipe the drive, but it could intermittently disable windows and tell the bewildered user how to sign up for the impending class action suit (while blasting out Neil Diamond at max volume).
Fortunately my other PC (a used Sony Vaio) is running linux.
it's a blue bright blue Saturday hey hey
The SANS handler on duty has linked to a BleedingSnort rule for this. Anyone have a way to block this from a Squid proxy server? That would be most useful....
Thanks
Since this exploit is critical in IE, and DoS's both Safari and Firefox, does anyone know if this bug also affects Opera 8.5?
Some think the Internet is a bad thing. I just think that AOL is a bad thing.
To be honest, I found it more of a shock that Lynx has a security flaw.
Why? I haven't looked at Lynx recently, but Lynx used to be a very insecure
browser - Lynx code had lots & lots of Buffer Overflows.
Sony's CD copy protection installs in your Windows machine a rootkit that renders invisible any file whose name starts with '$sys$'. :-(
The *nix joke "word^Wother" (also written "word^H^H^H^H") meant: i wrote "word", but repented and erased it (with one control-w or N control-h keys) and substituted it for "other".
The newly made Sony/Windows joke "$sys$word other" means: "word" becomes invisible and, just as in the unix case, I am saying "other" (when I really mean the harsher "word").
Funny thing is, it's not as funny when I explain it.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Now all we need to do is have a nice Zero day windows exploit that is self spreading and code it to go out and install Fire Fox (and remove IE) on every windows computer.
'course, before one does that, one should sign up for the $1 google promotion...
We would need someone to mod the FF build and make it install seamlessly with defaults... no point in a bug if you get prompted by the install software...
and we need someone to write the shell code to install and spread the whole package...
So, who's good at writing shell code? Sony? Are you listening?
The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
It was 0day yesterday morning.
No link to the affected page(s)?
-Mark
Google for Portable Firefox and give it a try. Works just fine for me on all the school computers, without the hassles of getting the Microsoftophiles upset.
I work at a lab of over 2000 engineers and scientists and computer professionals. I'm appalled at the number of people that use IE here, despite our allegedly high computer security stance....it's pathetic, I hope we get infected and badly.
As far as my family/friends go, they've all been warned that if they use IE I will not fix their computers.
I'm wearing a tin-foil condom. There's no way I can catch a virus through this thing.
Surely this is another RIAA approved "feature" released by Sony!
Cheesy Movie Night
You're surprised at this kind of attitude? In a world where even some of the major religions (supposed bastions of moral high-ground,) ignore some of their fundamental tenets in the name of expediency?
And before anyone feels hurt about this, allow me to quote a billboard I saw in the midwest recently.
"What part of 'thou shalt not kill' don't you understand?"
--God
-- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
not the fact that browsing to a particular website would infect a single user. I would think that most people don't go to those websites.
However, if a malicous person were to couple an exploit like this with a website infecting worm, the potential is enormous. You're no longer concerned with the individual site or user being taken offline or corrupted, you have the potential vistors to a site possibly helping spread the infection. Imagine a large e-commerce site infected with exploit code. I can foresee large infection rates from anyone who figures out how to automate this type of "two-pronged" attack.
I'm surely not the first person to think of this.
I gave up thinking of a cool sig
In other news, your parent's computer is running slowly and there are popups everywhere.
You'll cop it now! You shouldn't see the fnords, oh deary deary.
Sam
blog.sam.liddicott.com
By the way:
- Firefox 1.5rc3 is out
- Download my holiday classic Jingle all the way!!!!!!!!!!!!!!!!!!!!!
In my network, we use group policies to enforce all computers browse the Internet at the high level. What happens when a user needs JS? Well they send the admin a email, and if the site is legit, we add to the global trusted sites...
/shrug felt good to say at least.
Block all, only allow what is legitimate.
A security principal we should be using... Whitelists are much better then black lists.
This vuln will only affect my network if one of the trusted sites gets infected, but that is a much reduced risk from the phishin emails etc with links to bad sites... I.e., like anything is only as secure as how the administrator configured it.
Now for home users.. Microsoft WHAT THE HELL ARE YOU THINKING
No comments.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
So please remind me again why I can't set javascript policy on a site by site basis in firefox?
You know, javascript on for some sites, off as the default.
Dunno about the rest of you - on Firefox (win & linux) this created numerous windows and pegged my cpu.
Are you listening, Google?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I was willing to concede that a "yet" could have been added to the end of that sentence until I read
"The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw."
After that, my view of the exploit got just a little bit dimmer.
"Linux doesn't exist. Everyone knows Linux is an unlicensed version of Unix"- Kieren O'Shaughnessy
Same on IE. Didn't seem to do anything on opera.
Not sure if crashing the browser can really be called an 'exploit'. Slashdot headline writers on crack again...
Internet : Disable Active X, javascript. Trusted : Enable Active X, Javascript. Maintain a trusted sites list. Oh, and never, ever, install Norton. Even if you don't get a virus, your computer will run like c**p. It's not that hard people.
You can get 15 minutes of fame, but you can go down in history for infamy.
Microsoft Internet Explorer "Window()" Remote Code Execution Exploit
I tried the http://www.computerterrorism.com/research/ie/poc.h tm">Proof of Concept with IE6 & Firefox 1.0.2
Both the browsers hung when I clicked on the link on the page.
So what's the story?
hahahahhaahahahahahahahah!!!!
Don't feel too bad, I didn't catch it either.
jred
I'm not a mechanic but I play one in my garage...
So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?
He wouldn't have to. Normal use of IE by others would do that nicely.
1. Post the link /. it
2.
3. Game over...
Keep using that wonderful blue-e and you should be fine.
If I could chroot into Windows, then I'd use it. From Linux, of course, but it'd be nice to be able to use one of the new Express Editions of MS Visual Studio in Enlightenment with XMMS playing. I guess that I essentially want a desktop version of Xenix.
Maybe this explains the 8333% increase in email virii on our (relativly small) hosting cluster yesterday?
-mix
I tried the link some user provided here ( and appears to be deleted ) and it locked my Firefox, its not a security vulnerability but it is sure stupid to lock the damn thing.
This is a area where i must admit that windows is better than gnu/linux. In a gnu/linux distro you have to use the package-manager to install a program , you can do it in the bash or with a GUI , in windows you just have to surf the web and software is installed without you even notice.
def greetings(x): return {'friend': 'Howdy', 'enemy': 'Dye [sic]'}.get(x, 'g0 4w4y, l4m0r')
but seriously, regarding the average consumer I really think him/her would benefit from installing mandrake or ubuntu provided the hardware available is supported, or at least dual booting for particular needs like ms access and games...is it not less hassle to do than running ad-aware, spybot, etc and doing regular registry repair and defrags, or in the latter case minimizing maintanance on the ms side? Those distros run most things out of the box already and you may as well save the exorbitant licensing fee. Oh what the heck, all this has been noted ad nauseum on /. and the status quo recursively treads onwards.
This is the correct one.
It's when a vulnerability comes out that was not previously known by anyone. Thus the maker of the affected software has no chance to patch their security hole.
The grandparent's definition of "A zero-day exploit is one that is discovered or revealed the day software becomes available," is completely wrong.
Firefox users went about their business, unaffected by more supporting reports of just how inferior Internet Explorer really is.
401 - Attention span not found
I mean, just set your implant to "erect".
For starters, anyone could ad this code in an in their blog and achieve the same exploit.
.html and when you open it have the same exploit.
For that matter,someone could email you a
So, be wary. Disable Javascript or (preferably) upgrade to Firefox.
Why do us redheads always get rendered last. :((
Yes :)
... this one? http://www.frsirt.com/exploits/20051121.IEWindow0d ay.php
Nice to see Slashdot on the ball. I was reading this yesterday, not last week!
I swear we should be allowed to give mod points to sigs... "-1, Offtopic"
Isn't everyone on earth using Firefox yet?
Too bad for them.
Some people never learn
I think you have to wait some time, because IE stopped on my computer too, but after about 0.5-1 minutes calc.exe was launched.
You couldn't help that Marzipan needed that. But it will remain a clever $sys$"& irritating" phenomenon.
I cant seem to get the Proof of Concept to work... All I get:
Windows XP fully patched: Prompt box, but it never actually loads, its just white after 5 min I kill IE in the Task Manager.
Windows 2000 SP4, missing last 30 critical upadates: Same as XP, but the prompt box actually gets loaded so I can read the text, but it locks up if I click ok or cancel. Then I kill IE In the task Manager after a few minutes.
Could my firewall be blocking this type of attack? (WatchGuard)
Right now it doesnt seem like a Proof of Concept, rather just bad website design.
With AJAX we hijack the disk drive and store whatever we want on the user's PC, our "rich client"! Bwahahahaaah!! (Evil Laughs!8-))
Now that the world knows, we must rewrite our apps.
>>There is no patch, but since it is a javascript exploit, you can work around it by disabling javascript."
:)
Dear Mr. Taco,
Would it be that hard to say "You can work around it by using linux instead of windows."?
(This way they would already be protected from the NEXT zero day exploit.)
The government which is strong enough to protect you from everything is strong enough to take everything from you.
I always wondered how long it takes to beat someone to death with a chair.
Now that you've RTFA, and^W^W^W you are now^W looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.
Corrected.
Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
We snagged them during the dot com bubble.... women flocked to techies/geeks in colleges due to our high earning potential....
Some of us even managed to keep them after the bubble burst....
*Hint, we mastered the 3 C's, Computer, Cooking, and Cleaning.*
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Once again proving that the heap of steaming dog shit called "Windows XP" remains inferior to Win98SE.
Check out the graphic novels called Transmetropolitan ... somewhat cyberpunk-ish, they've explored these and similar themes. Imagine seeing a TV advertisement that lasts half a second ... and which proceeds to decompress in your subconscious so that you see the ads in your dreams. Ick!!
Relevant links:- May/008466.html- 11-2005h tm
http://lists.seifried.org/pipermail/security/2005
http://www.computerterrorism.com/research/ie/ct21
http://www.computerterrorism.com/research/ie/poc.
I have absolutely zero sympathy for anybody getting hit by the $IE_EXPLOIT_OF_THE_WEEK. The security problems with IE have been publicised ad-nauseum in the popular media and anybody who still allows IE to be used on a computer that they administer deserves all of the crap that they get from using IE.
Firefox 1.0.7
Windows XP SP2
Extensions: IETab, Web Developer Toolbar
Nothing visible happened. No slowdown occurred. No programs were launched. The Javascript console logged an error: "Error: runpoc is not defined".
I'll stick with the low tech option:
Sandwich your beef between two popsicle sticks, held together with rubberbands.
The government which is strong enough to protect you from everything is strong enough to take everything from you.
And thats exactly why i use Multitorg
//WR
I know that I did the right thing ethically but I lost $75 a month in income. Think about it, if all software was completely secure then the computer repair industry would crumble.
Disclaimer: I wrote this post on 1.5 hours of sleep. I probably should have simply closed this browser window and crawled off to bed but I didn't and for that I am truely sorry.
Mod me down with all of your hatred, and your journey towards the dark side will be complete!
At least I was able to. At my work for some strange reason I'm able to "run" an exe from IE, but if I save it and then try to run it then it won't work. So what I did was when I went to the firefox website and I just ran it from that location and I was able to get it up and running. Then I just copied the proxy settings from IE to Firefox and everything worked! :)
My IT guy just said that I can do what I can with my computer and the rights that are given to me, but if there's a problem and it's not one of their company specific applications (i.e. Word, excel, SAP, etc) then they will just format my computer, so in a way that's how I'm liable (if I install something that breaks my computer).
Anyway give it a try!
It doesn't make sense.
Unaffected. Well, IE crashes whenever I view the proof-of-concept, but I chalked that up to coincidence.
Anyone notice that Windows, which is a single-user OS by all accounts, runs multi-user really well once it's infected with something?
When I used to use outlook web access with IE I hated it. It tried to emulate the outlook interface and popped up new windows with the email you wanted to see, with the predictable delay in opening a new window. Why there was any delay is beyond me, if you're writing an IE only web app you should use window.showModalDialog instead of window.open, but there was the normal 1-2 second delay while your message opened. Whereas with Firefox, it acts like normal webmail and is infinitely faster.
BTW, MS didn't serve up a 'crippled' version of the app to non-IE browsers on purpose. When the app was written, IE was the first and only browser to support XMLHTTP requests (albeit thru an ActiveX control), so they literally couldn't expect other browsers to support that method, hence the normal webmail interface for other browsers. I doubt they've done any significant modification to the app since then. Once they revamp hotmail to be an AJAX style interface I certainly hope they roll that into outlook web access, or they'll be giving away free email service that's better than what you can buy from them.
Windows Never Exploited Until Patch Available5 5208&tid=109&tid=172&tid=201
http://it.slashdot.org/article.pl?sid=04/02/26/15
"(just as I respect what the crap she is talking about in her area of expertice...which isn't IT)"
I'm curious, just what *is* the area of expertice of your wife?
Anything the GeekNerds on slashdot would be thrilled about?
Effect of this code:
MS IE : Shell code execution exploit/DOS
Firefox : DoS
Mozilla : DoS
Safari : DoS (Some versions reortedly unaffected)
Opera : *Totally Immune*
Gosh, I'm wasting time here. Ever since I switched to Opera, I *never* had to deal with any of this browser DoS or exploit nonsense. (Yeah its immune to even "while(1) alert('haha');" type of DoS, [CTRL-W] takes care of it.)
- mritunjai
Have you people not got the facts? Browsing the web using Microsoft Windows - and especially when using the excellent Microsoft Internet Explorer is proven to much more secure than using those namby-pamby, tree-hugging, communist hippy programs you can get, like that Linux thing and Firefox. I mean, no-one uses those things anyway, do they? I always make sure that I am fully patched, and that my anti-spyware and anti-virus programs and up to date. Every morning I check through my root-kit and trojan scanner reports, right after my defrag has finished. I know for a fact that this so-called exploit hasn't affected me in th [NO CARRIER]
No javascript no AJAX Bill...
Ho Hum...
realkiwi
... is it confined to just IE, and what, if any, implications does this have for the entire AJAX (Asynchronous JavaScript And XML) stack that is being touted as the Next Big Thing? This would appear to be a problem that lies at a deeper level than just IE, since JavaScript can be used in a number of other places besides this. Is it just the MS version of the JavaScript engine that is at fault, or does it run deeper than this? Anyone care to comment on this?
"Workaround", this is such a nice word... There is a pizza vendor in my city (Budapest, Hungary) called Don Pepe, where the online order requires JavaScript. I have no other way to order pizza from them. And they have really good food. What MS is suggesting is to drop ordering pizza from them. So, to see it clear: Microsoft does have bugs in their software. The solution they recommend is to stop ordering my dinner from the place I want to, and do otherwise (go to a restaurant, or whatever). So, what they suggest is changing the way I live is a correct solution to a bug in their software... it means people should adapt to software, not the other way around... amazing...
Apparently K-Meleon is immune to this kind of flaw?
Just tried it with WinXP (no service packs installed) and it gives me a Java window and continues to try to load, but doesn't lock up anything, or use much proc time.
There is no patch, but since it is a javascript exploit, you can work around it by disabling javascript.
Or by not using IE in the first place.
"Grab them by the pussy" -- President of the United States of America
Some of us are still on mainframes and are very happy we didn't switch. Unlike yuo, we didn't cross over to the toy side.
I am not compelled to believe his doom scenario. He basically states that if a virus is produced that wipes out Windows users' data, this will lead to the introduction of legislation that will mandate hardware security features that make it impossible to run Linux (under the guise of improving security). This theory has one thing going for it: the hardware security features have already been proposed by Microsoft.
Where it breaks down is that Congress won't pass a law that makes it impossible to run Linux, and even if they do, it won't be enforced. Linux is too firmly entrenched in the business world nowadays for such legislation to be viable.
I seriously think that a virus that wiped out people's data would be a good wake-up call to finally convince people that security _is_ a problem and it _does_ affect them. Now, before you all start coding, you have to ask yourself - do you have a solution? Do you know for a fact that there is an operating system that would not be susceptible to a similar attack? I, myself, would answer that question in the negative.
Remember: "Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgment. For even the very wise cannot see all ends." -- Gandalf
Please correct me if I got my facts wrong.
www.pimpmysafari.com
'Access is denied'
Firefox 1.5 rc3 instantly crashed
go figure...
A popup blocker should stop any new windows opening, ie. disable anything that can be done with the window() function. How hard is this? IE claims it has popup blocking in its latest version.
Even with the latest stable Firefox, and popup blocking enabled, I still get popups appearing from time to time.
... remember to take a good supply of OpenCDs for the relatives at the thanksgiving table this year.
They're a useful response to nearly every IE-related question you'll be asked.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
To make sure that either:
1) Nobody patches it till next week
Or
2) Someone has to work on a holiday.
I'll bet some Mozilla.org hacker writes a fix in the next day or so though, just fer fun! I wonder if the DoS is a windows only or Windows and Linux DoS. I may have to read the FirSt report again just to find out.
I take no responsibility for what I say. Even though I'm never wrong
Yep, it dos's linux's firefox
Oh Well. I guess I can't bash $M on this one, although I've noticed everyone else is. Maybe I'll Bash $M anyway, just outta principle! LOL
I take no responsibility for what I say. Even though I'm never wrong
Because IE is the only browser using a display library which has a security model of "wait until you're deep in the system's shared libraries and THEN try and figure out where the code you're about to run came from" instead of "don't implement a mechanism to allow code out of the sandbox, leave that decision to the application that called you".
This was such an obviously bad idea even back in 1997 that I'm still boggled by the fact that anyone with any understanding of programming runs IE or allows their users to run it.
Comment removed based on user account deletion
...I use NoScript.
I wonder if the DoS is a windows only or Windows and Linux DoS.
It locks up mozilla under Linux. It doesn't crash, 100% cpu usage. strace shows it stuck in a mremap() loop.
Enjoy.
It's just the normal noises in here.
Very few posts deserve a +6, Funny, but the parent may be one of them.
"Listen, honey, Internet Explorer leaves the computer vulnerable to hackers who will sneak disgusting pornography onto our computer. . ."
That way, if you slip up and don't cover your tracks carefully enough, if she insists on using IE anything she finds on the computer is HER FAULT!!!
I see so many IE exploits that everyone says are so horrible. It's getting to the point where I don't see anyone even mention if the exploit causes a problem if the user running IE is signed into Windows as a non-administrative user.
Unix guys avoid getting screwed a LOT by not running as root. They consider people who run as root idiots. Well, people who log into Windows as an administrator on their home machine (or any machine where they don't have to do funky stuff with the OS all the time like engineer and test software) are idiots. Even if they don't know any better.
So, tell me, if someone is logged into windows as a non-administrator user, runs IExplore with no patch, and goes to one of these web pages, does it toast their machine?
I use firefox 1.0.7
:( without the usual warning.
It opened a pop up that closed everything when I closed it
will try rc3
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
A remote IE exploit with implementations is currently in the wild
I can hardly see why this is considered as "news".
if bill gates is reading any of this.
I guess you're safe then. Oh wait..
[DSA 874-1] New lynx packages fix arbitrary code execution
October 27th, 2005
Ulf Härnhammar discovered a buffer overflow in lynx, a text-mode
browser for the WWW that can be remotely exploited. During the
handling of Asian characters when connecting to an NNTP server lynx
can be tricked to write past the boundary of a buffer which can lead
to the execution of arbitrary code.
---
Of course, at least there's a fix before the exploit on this one.
I know, that drives me crazy too. I have often been accused of "hacking" the public computers at my library while turning up the refresh rate. As a side note, Ubuntu doesn't get the refresh rate right either, though Suse seems to work fine.
There's a very good Onion article on this subject.
I use crystal meth..