Zero-Day IE Exploit Takes Control of PCs

← Back to Stories (view on slashdot.org)

Zero-Day IE Exploit Takes Control of PCs

Posted by CmdrTaco on Tuesday November 22, 2005 @02:51AM from the here-we-go-again dept.

anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."

27 of 567 comments (clear)

Min score:

Reason:

Sort:

This is why... by wpiman · 2005-11-22 02:53 · Score: 5, Insightful

I use Firefox.
1. Re:This is why... by csgames · 2005-11-22 03:06 · Score: 2, Insightful
  
  This is why, if you try the PoC with FF1.0.7 or 1.5RC3, FF CPU usage will rise to 100%, DoS'ing it. These stupid FF r0x0rs comments are becoming more and more dull every day.
2. Re:This is why... by HairyCanary · 2005-11-22 03:18 · Score: 4, Insightful
  
  Yes, the FF r0x0rs comments are redundant. Even more so are the responses to those comments that suggest that FF crashing has anywhere even approaching the same level of impact as an IE exploit that allows remote control to be taken of the affected computer.
3. Re:This is why... by SpectralDesign · 2005-11-22 03:49 · Score: 2, Insightful
  
  I don't use javascript
  
  --
  Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
4. Re:This is why... by MS-06FZ · 2005-11-22 04:18 · Score: 2, Insightful
  
  I tried the PoC with FF1.0.7 and the DoS didn't NMS on any of my PCs, instead the FUHB BYKJFN MJNAJH on the NBoRX and your post is so dense with acronyms I have no idea what you're saying. I wish there were a moderation option for "-1: Unintelligible"
  
  --
  ---GEC
  I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
5. Re:This is why... by onepoint · 2005-11-22 04:44 · Score: 2, Insightful
  
  Tin Foil Hat's have been proven to increase the range of reception and transmission.
  
  go with the F-cage
  
  Onepoint
  
  --
  if you see me, smile and say hello.
Ouch. by Pxtl · 2005-11-22 02:53 · Score: 4, Insightful

Remember when web browsers were just for viewing HTML pages, and not as a platform agnostic instant-rollout applications platform?

Yeah, me neither.
1. Re:Ouch. by Malc · 2005-11-22 03:04 · Score: 2, Insightful
  
  Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site.
  
  Thanks goodness browsers and the WWW got beyond academia because even with all the shit we have to put up with today (like this JScript exploit), the experience is far better and vastly outweighs the problems. Of course, there will always a small number of irrelevant people who like to portray themselves as elite by complaining about how the concept of the browser has changed. I really don't miss the early web with Mosaic downloading slowly and Netscape with its pulsing N, and lots of very bad personal web pages. I really don't need to use Lynx either.
  
  Oh, and no I'm not forgetting that there are people trying to browse the web on mobile devices with ridiculously small screen. Good luck to you! But, I don't see why every web page should cater to the lowest common denominator.
2. Re:Ouch. by Anonymous Coward · 2005-11-22 04:27 · Score: 2, Insightful
  
  Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site. ...
  But, I don't see why every web page should cater to the lowest common denominator.
  
  http://www.google.com/
  
  ^^^NERDS! Obviously their business will fail.
3. Re:Ouch. by pen · 2005-11-22 10:13 · Score: 2, Insightful
  
  If you are remembering white (instead of gray) pages, you're obviously new to the WWW. ;-)
...or by not using Internet Explorer by LoaTao · 2005-11-22 02:56 · Score: 2, Insightful

Seriously. I know that IE's market share is still huge, but for the life of me I can't understand why.

--
The smartest man in the whole, wide world really don't know that much. - Mose Allison
1. Re:...or by not using Internet Explorer by dwandy · 2005-11-22 03:05 · Score: 4, Insightful
  
  IE's market share is still huge, but for the life of me I can't understand why.
  
  Take Preinstalled Browser,
  Add to Lazy User,
  and mix in a healthy dose of Ignorance.
  Alternate Receipe:
  Take Preinstalled Browser,
  Add Fear Of Change.
  Despite having Firefox installed at home, my wife insists on MSExploder .... I think the linux migration time-table is getting shortened.
  
  --
  If you think imaginary property and real property are the same, when does your house become public domain?
2. Re:...or by not using Internet Explorer by Darth+Maul · 2005-11-22 03:29 · Score: 4, Insightful
  
  but for the life of me I can't understand why.
  
  It's very, very simple. People are stupid and lazy.
  
  --
  --- witty signature
3. Re:...or by not using Internet Explorer by GweeDo · 2005-11-22 03:57 · Score: 4, Insightful
  
  Despite having Firefox installed at home, my wife insists on MSExploder
  
  I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.
  
  Why don't you people just try explaining the problems to your wife and get over it?
  
  --
  Unstable Apps: Our Android Apps Don't Suck
I hope this gets into a doubleclick ad by WhiteWolf666 · 2005-11-22 02:59 · Score: 4, Insightful

/evil on

That'd be SO funny

Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly. /evil off

--
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Re:The facts please by Prospero's+Grue · 2005-11-22 03:07 · Score: 4, Insightful

On story like this, we need the facts, period. No hype, rhetoric or personal opinions. Only the facts please, because I know members are going to tout the "other browser" as the safer one.
Now, mod me whatever you want, but the info you provide should be FACTS.
Fact: A critical security flaw has been found in IE, and the SANS ISC is recommending that people use one of the "other browsers".
Howzat?

--
The opinion above is fiction. Any similarity to real opinions, including facts and logic, is purely coincidental.
Re:Link to a copy? by artifex2004 · 2005-11-22 03:07 · Score: 3, Insightful

I want to use it on school computers - they wwould just be getting what they deserve for flat-out refusing requests to get Firefox installed.

So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?
Gah! by Anonymous Coward · 2005-11-22 03:08 · Score: 5, Insightful

users do, but they're much further down the food chain

Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.

we'll get the usual set of arguments about browser and OS supremacy.

If something has fewer security problems, isn't it "superior" in that respect?

If you can't trust Lynx to be secure, then really nothing is secure.

Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.

What an inane comment.
Say goodnight, AJAX by ptomblin · 2005-11-22 03:11 · Score: 2, Insightful

Just when I'm considering using more AJAX stuff on my web site, along comes another in a long line of Javascript vulnerabilities. Maybe it's not time to do AJAX. Or to make it lock out IE browsers.

--
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
1. Re:Say goodnight, AJAX by ptomblin · 2005-11-22 03:49 · Score: 4, Insightful
  
  So? When 90% of your "customers" are being told that they either turn off Javascript or get a virus, it doesn't matter whether the problem is with Javascript or IE - either way, there is no return for adding AJAX features to a web site. I'd rather spend my precious development resources on non-AJAX features that benefit everybody.
  
  --
  The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Re:I don't care by RingDev · 2005-11-22 03:14 · Score: 2, Insightful

Take off the tin foil hat. The amount of work it would take to write such an exploit would be huge and would only get a tiny fraction of the market. There's no profit in it, there's no notoriety for it.

Why rob a bank? Because that's where the money is.

Why write viri for Windows/IE? Because that's where the users are.

-Rick

--
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
My IE not at risk by MandoSKippy · 2005-11-22 04:01 · Score: 2, Insightful

In my network, we use group policies to enforce all computers browse the Internet at the high level. What happens when a user needs JS? Well they send the admin a email, and if the site is legit, we add to the global trusted sites...

Block all, only allow what is legitimate.

A security principal we should be using... Whitelists are much better then black lists.

This vuln will only affect my network if one of the trusted sites gets infected, but that is a much reduced risk from the phishin emails etc with links to bad sites... I.e., like anything is only as secure as how the administrator configured it.

Now for home users.. Microsoft WHAT THE HELL ARE YOU THINKING /shrug felt good to say at least.
1. Re:My IE not at risk by lgw · 2005-11-22 07:05 · Score: 2, Insightful
  
  Is a house with no doors or windows secure? Only if you're an idiot. Security is the ratio of difficulty of access by authorized vs. unauthorized users. Adding a process that makes it more difficult for both adds no security, it merely makes your users hate you.
  
  The damn data janitors around here forget their job is first to provide a useful network.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Re:The facts please by hotdiggitydawg · 2005-11-22 04:05 · Score: 3, Insightful

Fact: this bug was reported six months ago, but it is only now that someone has publicly shown how to use it to run arbitrary code.

Who knows how long other people have been exploiting this bug - potentially in ways not involving Javascript as well?
Insecure.. firefox.. by Anonymous Coward · 2005-11-22 04:06 · Score: 1, Insightful

So please remind me again why I can't set javascript policy on a site by site basis in firefox?

You know, javascript on for some sites, off as the default.
Re:I don't care by RingDev · 2005-11-22 05:22 · Score: 2, Insightful

"Because the first choice is ridiculously, brain-dead easy. That's why."

You are implying that the person breaking the law has an average level of intellegence. Haven't you seen "Maximum Exposure", "Real Police Videos", or any of the other caught on tape shows. They prove one thing, most criminals are dumb. True, there are a few gems in the rough, but by and large, the criminal element of society is not the brightest bulb in the box.

"Where's the notoriety in this? Oooh. I hacked a windows box. I'm so l33t."

Try, I hacked 3.4 million Windows boxes. I'm so l33t. I now have a bot network that can cripple massive pipes. Spam emails to millions of people per hour. Shut down major media outlets. Decimate online services (sales/games/gambling). Run distributed key cracking engines, etc.

Compared to: I hacked 20 debian boxes. I can flex my online epeen and spam an IRC channel!

CNN doesn't care about 20 nuebs who left their systems unsecured. CNN doesn't even care about Windows vulnerbilities. CNN cares about the monitary impact. So CNN will report on the person who creates a huge botnet and attacks high profile online organizations with it.

-Rick

--
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Re:This code by Anonymous Coward · 2005-11-22 06:08 · Score: 2, Insightful

It won't exactly DOS Firefox - it just takes gecko an inordinantly long time (1-2 minutes) to render the 200,000 unicode characters on screen in this specific instance. The mozilla devs have already traced down the cause and are working on a fix. (Bug 317334 for those interested.)