Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day IE Exploit Takes Control of PCs

Posted by CmdrTaco on from the here-we-go-again dept.

anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."

107 of 567 comments (clear)

  1. This is why... by wpiman · · Score: 5, Insightful

    I use Firefox.

    1. Re:This is why... by Anonymous Coward · · Score: 3, Funny

      This why I use a mainframe. Micros are just toys, bad enuff they have crummy hardware but their software is crap too.

    2. Re:This is why... by msdschris · · Score: 5, Funny

      I use telnet and render the HTML mentally.

    3. Re:This is why... by buswolley · · Score: 2, Funny

      I use CowboyNeal. --oops.

      --

      A Good Troll is better than a Bad Human.

    4. Re:This is why... by ZiakII · · Score: 3, Funny

      I use lynx....

    5. Re:This is why... by csgames · · Score: 2, Insightful

      This is why, if you try the PoC with FF1.0.7 or 1.5RC3, FF CPU usage will rise to 100%, DoS'ing it. These stupid FF r0x0rs comments are becoming more and more dull every day.

    6. Re:This is why... by aicrules · · Score: 3, Funny

      Only to be stricken by sloppy internal perception code causing random synapse firings building to a pace that you suddenly just start breakdancing.

    7. Re:This is why... by Scoth · · Score: 5, Funny

      You say that in jest, but imagine the possibilities for exploits when/if we get the point of direct neural implants for communications and such. Just imagine, instead of porn popups, lockups, and reboots we'll have people suddenly yelling about viagara at the top of their lungs, freezing up and falling over mid-stride, and suddenly forgetting where they are.

      Maybe anyway :)

    8. Re:This is why... by Anonymous Coward · · Score: 5, Funny

      You've met my grandfather, I take it.

    9. Re:This is why... by andreMA · · Score: 5, Funny

      Two of those three would apply to the current crop of US politicians. All three if you count Bob Dole.

    10. Re:This is why... by HairyCanary · · Score: 4, Insightful

      Yes, the FF r0x0rs comments are redundant. Even more so are the responses to those comments that suggest that FF crashing has anywhere even approaching the same level of impact as an IE exploit that allows remote control to be taken of the affected computer.

    11. Re:This is why... by nyc_paladin · · Score: 3, Informative

      And use the NoScript extension https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=722

      --
      All that is necessary for the triumph of evil is that good men do nothing. --Edmund Burke
    12. Re:This is why... by lordofthechia · · Score: 5, Funny

      "I use telnet and render the HTML mentally."

      You get used to it. I don't even see the code. All I see is blonde, brunette, redhead.

      --
      Georgia Tech, the leader in Chia(tm) technology.
    13. Re:This is why... by lordofthechia · · Score: 5, Funny

      I phone the webmaster and ask him to read me the webpage.

      --
      Georgia Tech, the leader in Chia(tm) technology.
    14. Re:This is why... by HogynCymraeg · · Score: 2, Funny
      I use telnet and render the HTML mentally.

      IRCers who talk to "Babes" have been using this technique for years!!!
    15. Re:This is why... by SpectralDesign · · Score: 2, Insightful

      I don't use javascript

      --
      Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
    16. Re:This is why... by glebd · · Score: 2, Funny

      Asylums are full of crashed brains.

    17. Re:This is why... by OakDragon · · Score: 5, Funny

      There is an exploit that my computer suffers from every day. It's called the 'Slash.ORG' worm, and it doesn't matter what kind of browser you use. Once the browser navigates to a certain website, it tends to stay there, refreshing as needed. It's called a DoPE attack, or 'Denial of Productivity for Employer.'

      --
      Dark Reflection
    18. Re:This is why... by MS-06FZ · · Score: 2, Insightful

      I tried the PoC with FF1.0.7 and the DoS didn't NMS on any of my PCs, instead the FUHB BYKJFN MJNAJH on the NBoRX and your post is so dense with acronyms I have no idea what you're saying. I wish there were a moderation option for "-1: Unintelligible"

      --
      ---GEC
      I'm but the humble pupil, seeking to snatch the scratchbuilt pebble from the master's fully articulated hand
    19. Re:This is why... by orangesquid · · Score: 4, Interesting

      Why not just put your IE and web stuff in a special subtree and chroot before fork+exec'ing?

      Oh, wait, does windows even have anything like that...?

      I'm not trying to start a flame war, I'm honestly wondering.

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    20. Re:This is why... by onepoint · · Score: 2, Insightful

      Tin Foil Hat's have been proven to increase the range of reception and transmission.

      go with the F-cage

      Onepoint

      --
      if you see me, smile and say hello.
    21. Re:This is why... by flamingweasel · · Score: 2, Funny

      You're using the PHONE? Fool!

      --
      Cthulhu loves you.
    22. Re:This is why... by b4k3d+b34nz · · Score: 2, Interesting

      I know the Firefox fanboys won't care, but Opera opens the proof of concept page without a DoS.

      Yes, I realize that saying this makes me an Opera fanboy.

      --
      Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
    23. Re:This is why... by galego · · Score: 2, Funny
      I use telnet and render the HTML mentally.

      In Soviet Russia, the HTML render you!

      --

      Que Deus te de em dobro o que me desejas

      [May God give you double that which you wish for me]

    24. Re:This is why... by zachdms · · Score: 5, Informative

      Check out DropMyRights - should be exactly what you want.

    25. Re:This is why... by caulfield · · Score: 3, Funny

      The phones are tapped.

      US Mail, baby.

      Didn't anyone see The Postman

    26. Re:This is why... by psyon1 · · Score: 2, Funny

      Man, you people and your technology. I send a request to the web master via carrier pigeon, and he sends the contents of the site back.

    27. Re:This is why... by Old+Wolf · · Score: 2, Funny

      Didn't anyone see The Postman

      Sorry, the total costner of 0wnership was too high.

  2. Ouch. by Pxtl · · Score: 4, Insightful

    Remember when web browsers were just for viewing HTML pages, and not as a platform agnostic instant-rollout applications platform?

    Yeah, me neither.

    1. Re:Ouch. by Overzeetop · · Score: 2, Interesting

      Well, actually, yeah. I remember back in the early 90s when a secretary showed my this Mosaic thing she'd found. I told her it looked interesting, but that I could get anything I needed off of gopher. It didn't seem like anything that would take off. Fast forward a year or so, and I remarked to a couple of friends, after starting to use mosaic and looking at HTML, that in a couple of years you'd see web addresses instead of 800 numbers in advertising pretty soon. They looked at me like I told them computers would grow legs and walk around the office. 0.500 isn't too bad, right?

      No real point to this post - just an old fart trying to avoid real work by surfing slashdot...

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Ouch. by Malc · · Score: 2, Insightful

      Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site.

      Thanks goodness browsers and the WWW got beyond academia because even with all the shit we have to put up with today (like this JScript exploit), the experience is far better and vastly outweighs the problems. Of course, there will always a small number of irrelevant people who like to portray themselves as elite by complaining about how the concept of the browser has changed. I really don't miss the early web with Mosaic downloading slowly and Netscape with its pulsing N, and lots of very bad personal web pages. I really don't need to use Lynx either.

      Oh, and no I'm not forgetting that there are people trying to browse the web on mobile devices with ridiculously small screen. Good luck to you! But, I don't see why every web page should cater to the lowest common denominator.

    3. Re:Ouch. by s20451 · · Score: 2, Interesting

      Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site.

      I may be a nerd, but I like to think of my page design as "clean" and "fast-loading", thank you very much.

      --
      Toronto-area transit rider? Rate your ride.
    4. Re:Ouch. by pen · · Score: 2, Funny

      I read that address as "awreckedford.com".

    5. Re:Ouch. by TheRealMindChild · · Score: 5, Funny

      DOH! http://validator.w3.org/check?uri=http%3A%2F%2Fwww .comm.utoronto.ca%2F%7Eeckford%2F
       
        Result: Failed validation, 7 errors

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    6. Re:Ouch. by timeOday · · Score: 2, Funny

      Gettin' kinda fancy with the horizontal rule, ain't ya?

    7. Re:Ouch. by Yartrebo · · Score: 2, Interesting

      Sure is fast I must say. About 200-250 ms load time vs as long as 10 seconds (mostly rendering time, not download time) for some news sites and other ill-designed sites.

      And I have a fast (1.8 GHz processor running Konqueror) setup and broadband. I can just imaging the difference if I was on an old sub-GHz machine or on dial up. I'm also using Konqueror. For the odd site that doesn't work (forcing me to resort to Firefox), the render time is substantially increased.

    8. Re:Ouch. by Anonymous Coward · · Score: 2, Insightful
      Yeah, I remember all those white pages with black text and blue links. Back when every nerd had to have a personal web site. ...
      But, I don't see why every web page should cater to the lowest common denominator.


      http://www.google.com/

      ^^^NERDS! Obviously their business will fail.
    9. Re:Ouch. by cloudmaster · · Score: 3, Interesting

      You have a strange definition of "better" if you think that using flash and graphics where text makes sense is "better". Hooray for wasting bandwidth in roder to provide a "media-rich" experience, when utilizing actual valid HTML would work just as well *and* provide a means of formatting for a variety of different output devices.

      You don't have to design to the "lowest common denominator" if you use proper HTML 4.1 with CSS, but you do have to think about making a page that degrades gracefully. It's not really even hard - but thanks to IE and Netscape adding their own screwy tags + cheerfully accepting ill-formed HTML, web developers are among the laziest, worst informed developers around. Yeah, things sure are better now.

    10. Re:Ouch. by springbox · · Score: 3, Informative
      I may be a nerd, but I like to think of my page design [andreweckford.com] as "clean" and "fast-loading", thank you very much.

      Import a CSS on every page and you can get a nicer looking layout with little cost. "Small in size" and "fast loading" does not necessarily mean "default color scheme."

    11. Re:Ouch. by pen · · Score: 2, Insightful

      If you are remembering white (instead of gray) pages, you're obviously new to the WWW. ;-)

  3. And as usual... by Billosaur · · Score: 5, Funny

    From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.

    Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:And as usual... by meringuoid · · Score: 4, Funny
      Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

      This kind of thinking is extremely $sys$profitable irresponsible.

      --
      Real Daleks don't climb stairs - they level the building.
    2. Re:And as usual... by zootm · · Score: 5, Funny

      This kind of thinking is extremely $sys$profitable irresponsible.

      My god, Sony have provided a viable Windows alternative to the old ^W^W^W^W *nix joke... it's worse than we thought!

    3. Re:And as usual... by mazarin5 · · Score: 5, Funny
      My god, Sony have provided a viable Windows *nix joke

      Huh?

      --
      Fnord.
    4. Re:And as usual... by Ibix · · Score: 4, Funny
      This kind of thinking is extremely $sys$profitable irresponsible.

      "I have seen the fnords..."

      I

  4. I'm glad to see that by WhiteWolf666 · · Score: 3, Funny

    Microsoft's total time of 0wnerzship continues to decrease.

    Its important for MS to keep ahead in this area.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    1. Re:I'm glad to see that by xtracto · · Score: 2, Informative

      It is Total Cost of 0wnership =-)

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
  5. ...or by not using Internet Explorer by LoaTao · · Score: 2, Insightful

    Seriously. I know that IE's market share is still huge, but for the life of me I can't understand why.

    --
    The smartest man in the whole, wide world really don't know that much. - Mose Allison
    1. Re:...or by not using Internet Explorer by dwandy · · Score: 4, Insightful
      IE's market share is still huge, but for the life of me I can't understand why.

      Take Preinstalled Browser,
      Add to Lazy User,
      and mix in a healthy dose of Ignorance.

      Alternate Receipe:
      Take Preinstalled Browser,
      Add Fear Of Change.

      Despite having Firefox installed at home, my wife insists on MSExploder .... I think the linux migration time-table is getting shortened.

      --
      If you think imaginary property and real property are the same, when does your house become public domain?
    2. Re:...or by not using Internet Explorer by Darth+Maul · · Score: 4, Insightful

      but for the life of me I can't understand why.

      It's very, very simple. People are stupid and lazy.

      --
      --- witty signature
    3. Re:...or by not using Internet Explorer by dallask · · Score: 5, Funny

      solution:
      Buy sony cd,
      install rootkit
      rename Explorer to $sys$explorer.exe

      --
      The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
    4. Re:...or by not using Internet Explorer by GweeDo · · Score: 4, Insightful

      Despite having Firefox installed at home, my wife insists on MSExploder

      I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.

      Why don't you people just try explaining the problems to your wife and get over it?

      --
      Unstable Apps: Our Android Apps Don't Suck
  6. Is there a tenor in the house? by MikeMacK · · Score: 5, Funny
    The SANS ISC's Ullrich said IE users should consider switching to Firefox of Opera.

    Ah, the Firefox of Opera - who is that, Pavarotti?

    1. Re:Is there a tenor in the house? by Killjoy_NL · · Score: 2, Informative

      Could have been written by a dutch guy since of=or in dutch :)

      --
      This is the sig that says NI (again)
  7. This is why... by MartinG · · Score: 5, Funny

    I use netcat.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  8. Oh no.. by Dynamoo · · Score: 3, Interesting
    Oh no.. here we go again. No, it's not that there's another flaw in IE that I say that because some things are inevitable.. death, taxes and IE flaws. But any self-respecting IT professional or geek won't be using IE anyway. Sure.. users do, but they're much further down the food chain.

    No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!

    Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.

    --
    Never email donotemail@WeAreSpammers.com
  9. Thank you by steveo777 · · Score: 5, Funny

    Now that you've read the comments, your Windows box belongs to OSTG. Please stand by while we load Linux.........

    --
    This sig isn't original enough, it's time to come up with something witty...
    1. Re:Thank you by lahvak · · Score: 2, Funny

      It didn't work!

      --
      AccountKiller
  10. Give it 5 by intmainvoid · · Score: 4, Funny
    We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time

    Well, there might be no customer impact at this time, but seeing as the exploit is published now, can I ask you again in about 5 minutes?

    --
    Drag n' Drop DVD Recommendations
    1. Re:Give it 5 by intmainvoid · · Score: 4, Interesting

      Have you had a look at the source on a slashdot page recently?

              _uacct = "UA-32013-5";
              urchinTracker();

      --
      Drag n' Drop DVD Recommendations
    2. Re:Give it 5 by Anonymous Coward · · Score: 2, Informative

      This is the code for Google Analytics. http://www.google.com/analytics/ There's nothing to see here.

    3. Re:Give it 5 by MemeRot · · Score: 2, Interesting

      Interesting. I know Slashdot breaks their million page view per month limit (like in a couple hours), and I thought only users of AdWords were exempt from that limit? What's the deal guys? Anyone know anything else about Google Analytics?

  11. In other news by epsalon · · Score: 3, Funny

    The sun has risen this morning, and the Earth is rotating around its axis.

    Nothing to see here - move along.

    --

    Make even shorter URLs - 8LN.org

  12. This is why... by BushCheney08 · · Score: 5, Funny

    I don't browse the web.

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  13. I hope this gets into a doubleclick ad by WhiteWolf666 · · Score: 4, Insightful

    /evil on

    That'd be SO funny

    Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly. /evil off

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    1. Re:I hope this gets into a doubleclick ad by Xarius · · Score: 4, Informative

      I know he's considered as a bit of a prick, but ESR explains exactly why this would be one of the worst things that could happen here.

      Make of it what you will.

      --
      C17H21NO4
  14. good example of why Microsoft is bad at security? by diegocgteleline.es · · Score: 4, Interesting

    This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"...

  15. Zero-day? No. by MoNickels · · Score: 3, Informative

    The original article and the Slashdot headline are wrong. It's not a "zero-day exploit." The article itself says, "The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw." A zero-day exploit is one that is discovered or revealed the day software becomes available, be it brand-new software, an update, a patch, or a service pack.

    --

    Wordnik, a dictionary project which aims to collect

    1. Re:Zero-day? No. by Anonymous Coward · · Score: 2, Informative

      No.

      A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Ordinarily, after someone detects that a software program contains a potential exposure to exploitation by a hacker, that person or company can notify the software company and sometimes the world at large so that action can be taken to repair the exposure or defend against its exploitation. Given time, the software company can repair and distribute a fix to users. Even if potential hackers also learn of the vulnerability, it may take them some time to exploit it; meanwhile, the fix can hopefully become available first.

  16. Re:The facts please by Prospero's+Grue · · Score: 4, Insightful
    On story like this, we need the facts, period. No hype, rhetoric or personal opinions. Only the facts please, because I know members are going to tout the "other browser" as the safer one.

    Now, mod me whatever you want, but the info you provide should be FACTS.

    Fact: A critical security flaw has been found in IE, and the SANS ISC is recommending that people use one of the "other browsers".

    Howzat?

    --
    The opinion above is fiction. Any similarity to real opinions, including facts and logic, is purely coincidental.
  17. Re:Link to a copy? by artifex2004 · · Score: 3, Insightful
    I want to use it on school computers - they wwould just be getting what they deserve for flat-out refusing requests to get Firefox installed.

    So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?

  18. This code by paranode · · Score: 4, Informative

    Will DOS Firefox. Not as bad as an exploit but they have issues to fix as well.

    1. Re:This code by vear · · Score: 3, Funny

      MS-DOS or DR-DOS? I don't know which one is worse.

    2. Re:This code by byolinux · · Score: 2, Funny

      You insensitive clod, I have to use Arachne with FreeDOS.

      --
      Join the Free Software Foundation
    3. Re:This code by Anonymous Coward · · Score: 2, Insightful

      It won't exactly DOS Firefox - it just takes gecko an inordinantly long time (1-2 minutes) to render the 200,000 unicode characters on screen in this specific instance. The mozilla devs have already traced down the cause and are working on a fix. (Bug 317334 for those interested.)

  19. Gah! by Anonymous Coward · · Score: 5, Insightful

    users do, but they're much further down the food chain

    Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.

    we'll get the usual set of arguments about browser and OS supremacy.

    If something has fewer security problems, isn't it "superior" in that respect?

    If you can't trust Lynx to be secure, then really nothing is secure.

    Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.

    What an inane comment.

  20. DUPE! by andreMA · · Score: 3, Funny

    Oh, wait... it just seems that way. Carry on...

  21. lazy story submitters by mapmaker · · Score: 5, Funny
    Aparently all you have to do is browse the page to be affected.

    What, no link?

    1. Re:lazy story submitters by tpgp · · Score: 3, Informative

      Here you go

      --
      My pics.
  22. Re:Link to a copy? by tomasvilda · · Score: 4, Informative

    Here you can test an exploit on IE: http://www.computerterrorism.com/research/ie/poc.h tm -- http://tvilda.stilius.net/

  23. Say goodnight, AJAX by ptomblin · · Score: 2, Insightful

    Just when I'm considering using more AJAX stuff on my web site, along comes another in a long line of Javascript vulnerabilities. Maybe it's not time to do AJAX. Or to make it lock out IE browsers.

    --
    The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
    1. Re:Say goodnight, AJAX by ptomblin · · Score: 4, Insightful

      So? When 90% of your "customers" are being told that they either turn off Javascript or get a virus, it doesn't matter whether the problem is with Javascript or IE - either way, there is no return for adding AJAX features to a web site. I'd rather spend my precious development resources on non-AJAX features that benefit everybody.

      --
      The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
  24. Browser? by cloudkiller · · Score: 2, Funny

    IE? I don't have that; I use Windows.

    --
    [an error occurred while processing this sig]
  25. Thank you by nealfunkbass · · Score: 4, Funny

    The holidays are a time for giving.

    Now that you've RTFA, and you are now looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.

    Happy Holidays!

    --
    - Donny was a good bowler, and a good man.
  26. Re:I don't care by RingDev · · Score: 2, Insightful

    Take off the tin foil hat. The amount of work it would take to write such an exploit would be huge and would only get a tiny fraction of the market. There's no profit in it, there's no notoriety for it.

    Why rob a bank? Because that's where the money is.

    Why write viri for Windows/IE? Because that's where the users are.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  27. MS anti-spyware utility will stop this by digitaldc · · Score: 4, Funny

    I am pretty sure MS anti-spyware will stop this from launching

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  28. How to disable JavaScript by Rinnt · · Score: 2, Informative

    Yes, for most it may be extremely easy. But in case you haven't had to do it for some time:

    To disable JavaScript in IE, click Tools, Internet Options and choose the Security tab. Click the Internet icon, click the Default Level button, and move the slider to High.

    ...Shamelessly stolen from here.

  29. Hmm.... by Lonath · · Score: 5, Funny

    Isn't Google's master plan to take over the world dependent upon people using AJAX? If IE has a critical flaw using javascript, and everyone has to turn it off, then nobody will be able to use Google's new products and... Hey wait a minute.

    --
    Best. Comment. Ever. Enjoy!
  30. Re:I don't care by meringuoid · · Score: 2, Informative
    Take off the tin foil hat. The amount of work it would take to write such an exploit would be huge and would only get a tiny fraction of the market. There's no profit in it, there's no notoriety for it.

    Would a worm do all that, or a clueless script kiddie? Probably not. As you say, there are too few dual-boot systems around. Bear in mind however that the Linux partition is still at risk from a malicious kiddie letting rip with fdisk.

    But would a hacker do it? Yes, I think so. Especially if he'd just been directly challenged to do so by someone who thinks the wall between Windows and Linux in a dual-boot system is so impenetrable...

    --
    Real Daleks don't climb stairs - they level the building.
  31. Opera affected too? by DoddyUK · · Score: 2, Interesting

    Since this exploit is critical in IE, and DoS's both Safari and Firefox, does anyone know if this bug also affects Opera 8.5?

    --
    Some think the Internet is a bad thing. I just think that AOL is a bad thing.
    1. Re:Opera affected too? by porneL · · Score: 5, Informative

      Not affected. I've tested <body onload="window();"> and nothing happens besides JS console logging "Statement on line 1: The Object does not implement [[Call]]".

  32. Lynx by Frankie70 · · Score: 4, Interesting

    To be honest, I found it more of a shock that Lynx has a security flaw.

    Why? I haven't looked at Lynx recently, but Lynx used to be a very insecure
    browser - Lynx code had lots & lots of Buffer Overflows.

  33. Duh! (+1, informative) by hummassa · · Score: 3, Informative

    Sony's CD copy protection installs in your Windows machine a rootkit that renders invisible any file whose name starts with '$sys$'.
    The *nix joke "word^Wother" (also written "word^H^H^H^H") meant: i wrote "word", but repented and erased it (with one control-w or N control-h keys) and substituted it for "other".
    The newly made Sony/Windows joke "$sys$word other" means: "word" becomes invisible and, just as in the unix case, I am saying "other" (when I really mean the harsher "word").
    Funny thing is, it's not as funny when I explain it. :-(

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    1. Re:Duh! (+1, informative) by Omega697 · · Score: 4, Informative

      What he meant was that there were 4 ^W's and when you erase 4 words you wind up with the nonsensical statement in his post.

    2. Re:Duh! (+1, informative) by mazarin5 · · Score: 2, Informative
      Oh, I got it.

      The "^W" control character deletes the preceding word, not character. This distinguishes from "^H", which deletes only the preceding character, thus they aren't interchangable.

      If you notice, I quoted you with the four words preceding "^W^W^W^W" deleted, as if the "^W"s had actually had an effect on the sentence. That made your sentence incomplete, and therefore nonsense.

      Therefore "Huh?".

      Granted, it wasn't worthy of Mark Twain, but it was meant to be humorous.

      --
      Fnord.
    3. Re:Duh! (+1, informative) by meringuoid · · Score: 2, Funny
      A: Because 31 (hex) == 27 (dec)!

      I always get depressed as the nights draw in towards the end of Hextober; how about you?

      --
      Real Daleks don't climb stairs - they level the building.
  34. Re:Link to a copy? by Trip+Ericson · · Score: 2, Informative

    Google for Portable Firefox and give it a try. Works just fine for me on all the school computers, without the hassles of getting the Microsoftophiles upset.

  35. My IE not at risk by MandoSKippy · · Score: 2, Insightful

    In my network, we use group policies to enforce all computers browse the Internet at the high level. What happens when a user needs JS? Well they send the admin a email, and if the site is legit, we add to the global trusted sites...

    Block all, only allow what is legitimate.

    A security principal we should be using... Whitelists are much better then black lists.

    This vuln will only affect my network if one of the trusted sites gets infected, but that is a much reduced risk from the phishin emails etc with links to bad sites... I.e., like anything is only as secure as how the administrator configured it.

    Now for home users.. Microsoft WHAT THE HELL ARE YOU THINKING /shrug felt good to say at least.

    1. Re:My IE not at risk by lgw · · Score: 2, Insightful

      Is a house with no doors or windows secure? Only if you're an idiot. Security is the ratio of difficulty of access by authorized vs. unauthorized users. Adding a process that makes it more difficult for both adds no security, it merely makes your users hate you.

      The damn data janitors around here forget their job is first to provide a useful network.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  36. Re:The facts please by hotdiggitydawg · · Score: 3, Insightful

    Fact: this bug was reported six months ago, but it is only now that someone has publicly shown how to use it to run arbitrary code.

    Who knows how long other people have been exploiting this bug - potentially in ways not involving Javascript as well?

  37. Re:Link to a copy? by Tony+Hoyle · · Score: 2, Informative

    Same on IE. Didn't seem to do anything on opera.

    Not sure if crashing the browser can really be called an 'exploit'. Slashdot headline writers on crack again...

  38. Re:HTML in Outlook Affected? by GuanoTO · · Score: 2, Informative

    Sadly yes, it will use IE extensions to display the html (and associated) code. It is a hardcoded call to IE, not the default browser.

    Much like following the HotMail link in MSN Messenger will launch a new IE window, despite having FF set as the default browser.

  39. Re:If a problem like this was found in Firefox... by Maian · · Score: 2, Informative

    Um, you must be one hell of a Firefox fanatic to completely ignore the fact there have been serious published and previously unpatched (but now patched) vulnerabilities in Firefox before. Why the hell was this modded insightful? Now it may be true that Mozilla fixes vulnerabilities faster than the IE team, but this is an outright lie.

  40. Re:I don't care by RingDev · · Score: 2, Insightful

    "Because the first choice is ridiculously, brain-dead easy. That's why."

    You are implying that the person breaking the law has an average level of intellegence. Haven't you seen "Maximum Exposure", "Real Police Videos", or any of the other caught on tape shows. They prove one thing, most criminals are dumb. True, there are a few gems in the rough, but by and large, the criminal element of society is not the brightest bulb in the box.

    "Where's the notoriety in this? Oooh. I hacked a windows box. I'm so l33t."

    Try, I hacked 3.4 million Windows boxes. I'm so l33t. I now have a bot network that can cripple massive pipes. Spam emails to millions of people per hour. Shut down major media outlets. Decimate online services (sales/games/gambling). Run distributed key cracking engines, etc.

    Compared to: I hacked 20 debian boxes. I can flex my online epeen and spam an IRC channel!

    CNN doesn't care about 20 nuebs who left their systems unsecured. CNN doesn't even care about Windows vulnerbilities. CNN cares about the monitary impact. So CNN will report on the person who creates a huge botnet and attacks high profile online organizations with it.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  41. Links by Sheepdot · · Score: 2, Informative

    Relevant links:
    http://lists.seifried.org/pipermail/security/2005- May/008466.html
    http://www.computerterrorism.com/research/ie/ct21- 11-2005
    http://www.computerterrorism.com/research/ie/poc.h tm

  42. Re:Advice for not getting this virus by lgw · · Score: 2, Informative

    Older versions of Norton AV leaked memory like crazy, but only when you ran a scan. The realtime protection was fine. You did need to reboot after a scan, however. Newer versions are either fixed or not so bad that I notice.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  43. Get the facts! by Xerp · · Score: 3, Funny

    Have you people not got the facts? Browsing the web using Microsoft Windows - and especially when using the excellent Microsoft Internet Explorer is proven to much more secure than using those namby-pamby, tree-hugging, communist hippy programs you can get, like that Linux thing and Firefox. I mean, no-one uses those things anyway, do they? I always make sure that I am fully patched, and that my anti-spyware and anti-virus programs and up to date. Every morning I check through my root-kit and trojan scanner reports, right after my defrag has finished. I know for a fact that this so-called exploit hasn't affected me in th [NO CARRIER]