Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day IE Exploit Takes Control of PCs

Posted by CmdrTaco on from the here-we-go-again dept.

anethema writes "A remote IE exploit with implementations is currently in the wild. From the article: 'Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.' Aparently all you have to do is browse the page to be affected. There is no patch, but since it is a JavaScript exploit, you can work around it by disabling JavaScript."

61 of 567 comments (clear)

  1. This is why... by wpiman · · Score: 5, Insightful

    I use Firefox.

    1. Re:This is why... by Anonymous Coward · · Score: 3, Funny

      This why I use a mainframe. Micros are just toys, bad enuff they have crummy hardware but their software is crap too.

    2. Re:This is why... by msdschris · · Score: 5, Funny

      I use telnet and render the HTML mentally.

    3. Re:This is why... by ZiakII · · Score: 3, Funny

      I use lynx....

    4. Re:This is why... by aicrules · · Score: 3, Funny

      Only to be stricken by sloppy internal perception code causing random synapse firings building to a pace that you suddenly just start breakdancing.

    5. Re:This is why... by Scoth · · Score: 5, Funny

      You say that in jest, but imagine the possibilities for exploits when/if we get the point of direct neural implants for communications and such. Just imagine, instead of porn popups, lockups, and reboots we'll have people suddenly yelling about viagara at the top of their lungs, freezing up and falling over mid-stride, and suddenly forgetting where they are.

      Maybe anyway :)

    6. Re:This is why... by Anonymous Coward · · Score: 5, Funny

      You've met my grandfather, I take it.

    7. Re:This is why... by andreMA · · Score: 5, Funny

      Two of those three would apply to the current crop of US politicians. All three if you count Bob Dole.

    8. Re:This is why... by HairyCanary · · Score: 4, Insightful

      Yes, the FF r0x0rs comments are redundant. Even more so are the responses to those comments that suggest that FF crashing has anywhere even approaching the same level of impact as an IE exploit that allows remote control to be taken of the affected computer.

    9. Re:This is why... by nyc_paladin · · Score: 3, Informative

      And use the NoScript extension https://addons.mozilla.org/extensions/moreinfo.php ?application=firefox&id=722

      --
      All that is necessary for the triumph of evil is that good men do nothing. --Edmund Burke
    10. Re:This is why... by lordofthechia · · Score: 5, Funny

      "I use telnet and render the HTML mentally."

      You get used to it. I don't even see the code. All I see is blonde, brunette, redhead.

      --
      Georgia Tech, the leader in Chia(tm) technology.
    11. Re:This is why... by lordofthechia · · Score: 5, Funny

      I phone the webmaster and ask him to read me the webpage.

      --
      Georgia Tech, the leader in Chia(tm) technology.
    12. Re:This is why... by OakDragon · · Score: 5, Funny

      There is an exploit that my computer suffers from every day. It's called the 'Slash.ORG' worm, and it doesn't matter what kind of browser you use. Once the browser navigates to a certain website, it tends to stay there, refreshing as needed. It's called a DoPE attack, or 'Denial of Productivity for Employer.'

      --
      Dark Reflection
    13. Re:This is why... by orangesquid · · Score: 4, Interesting

      Why not just put your IE and web stuff in a special subtree and chroot before fork+exec'ing?

      Oh, wait, does windows even have anything like that...?

      I'm not trying to start a flame war, I'm honestly wondering.

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    14. Re:This is why... by zachdms · · Score: 5, Informative

      Check out DropMyRights - should be exactly what you want.

    15. Re:This is why... by caulfield · · Score: 3, Funny

      The phones are tapped.

      US Mail, baby.

      Didn't anyone see The Postman

  2. Ouch. by Pxtl · · Score: 4, Insightful

    Remember when web browsers were just for viewing HTML pages, and not as a platform agnostic instant-rollout applications platform?

    Yeah, me neither.

    1. Re:Ouch. by TheRealMindChild · · Score: 5, Funny

      DOH! http://validator.w3.org/check?uri=http%3A%2F%2Fwww .comm.utoronto.ca%2F%7Eeckford%2F
       
        Result: Failed validation, 7 errors

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    2. Re:Ouch. by cloudmaster · · Score: 3, Interesting

      You have a strange definition of "better" if you think that using flash and graphics where text makes sense is "better". Hooray for wasting bandwidth in roder to provide a "media-rich" experience, when utilizing actual valid HTML would work just as well *and* provide a means of formatting for a variety of different output devices.

      You don't have to design to the "lowest common denominator" if you use proper HTML 4.1 with CSS, but you do have to think about making a page that degrades gracefully. It's not really even hard - but thanks to IE and Netscape adding their own screwy tags + cheerfully accepting ill-formed HTML, web developers are among the laziest, worst informed developers around. Yeah, things sure are better now.

    3. Re:Ouch. by springbox · · Score: 3, Informative
      I may be a nerd, but I like to think of my page design [andreweckford.com] as "clean" and "fast-loading", thank you very much.

      Import a CSS on every page and you can get a nicer looking layout with little cost. "Small in size" and "fast loading" does not necessarily mean "default color scheme."

  3. And as usual... by Billosaur · · Score: 5, Funny

    From eWeek: The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.

    Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:And as usual... by meringuoid · · Score: 4, Funny
      Because anything that allows a malicious user to exploit your system and hijack isn't a flaw... it's a feature!

      This kind of thinking is extremely $sys$profitable irresponsible.

      --
      Real Daleks don't climb stairs - they level the building.
    2. Re:And as usual... by zootm · · Score: 5, Funny

      This kind of thinking is extremely $sys$profitable irresponsible.

      My god, Sony have provided a viable Windows alternative to the old ^W^W^W^W *nix joke... it's worse than we thought!

    3. Re:And as usual... by mazarin5 · · Score: 5, Funny
      My god, Sony have provided a viable Windows *nix joke

      Huh?

      --
      Fnord.
    4. Re:And as usual... by Ibix · · Score: 4, Funny
      This kind of thinking is extremely $sys$profitable irresponsible.

      "I have seen the fnords..."

      I

  4. I'm glad to see that by WhiteWolf666 · · Score: 3, Funny

    Microsoft's total time of 0wnerzship continues to decrease.

    Its important for MS to keep ahead in this area.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  5. Is there a tenor in the house? by MikeMacK · · Score: 5, Funny
    The SANS ISC's Ullrich said IE users should consider switching to Firefox of Opera.

    Ah, the Firefox of Opera - who is that, Pavarotti?

  6. This is why... by MartinG · · Score: 5, Funny

    I use netcat.

    --
    -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  7. Oh no.. by Dynamoo · · Score: 3, Interesting
    Oh no.. here we go again. No, it's not that there's another flaw in IE that I say that because some things are inevitable.. death, taxes and IE flaws. But any self-respecting IT professional or geek won't be using IE anyway. Sure.. users do, but they're much further down the food chain.

    No, the reason I'm saying it is that this being Slashdot we'll get the usual set of arguments about browser and OS supremacy. Again. It's like Groundhog Day!

    Shucks, everything has security flaws. Yeah, some more than others. To be honest, I found it more of a shock that Lynx has a security flaw. If you can't trust Lynx to be secure, then really nothing is secure. Except unplugging your computer and putting it back in the box, perhaps.

    --
    Never email donotemail@WeAreSpammers.com
  8. Thank you by steveo777 · · Score: 5, Funny

    Now that you've read the comments, your Windows box belongs to OSTG. Please stand by while we load Linux.........

    --
    This sig isn't original enough, it's time to come up with something witty...
  9. Give it 5 by intmainvoid · · Score: 4, Funny
    We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time

    Well, there might be no customer impact at this time, but seeing as the exploit is published now, can I ask you again in about 5 minutes?

    --
    Drag n' Drop DVD Recommendations
    1. Re:Give it 5 by intmainvoid · · Score: 4, Interesting

      Have you had a look at the source on a slashdot page recently?

              _uacct = "UA-32013-5";
              urchinTracker();

      --
      Drag n' Drop DVD Recommendations
  10. In other news by epsalon · · Score: 3, Funny

    The sun has risen this morning, and the Earth is rotating around its axis.

    Nothing to see here - move along.

    --

    Make even shorter URLs - 8LN.org

  11. This is why... by BushCheney08 · · Score: 5, Funny

    I don't browse the web.

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  12. I hope this gets into a doubleclick ad by WhiteWolf666 · · Score: 4, Insightful

    /evil on

    That'd be SO funny

    Someday, an IE exploit is going to come along that wipes your HD. Then we'll see sparks fly. /evil off

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
    1. Re:I hope this gets into a doubleclick ad by Xarius · · Score: 4, Informative

      I know he's considered as a bit of a prick, but ESR explains exactly why this would be one of the worst things that could happen here.

      Make of it what you will.

      --
      C17H21NO4
  13. good example of why Microsoft is bad at security? by diegocgteleline.es · · Score: 4, Interesting

    This exploit exploits a vulnerability on a already found denial-of-service attack which Microsoft classified six months ago as "low-priority"...

  14. Zero-day? No. by MoNickels · · Score: 3, Informative

    The original article and the Slashdot headline are wrong. It's not a "zero-day exploit." The article itself says, "The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw." A zero-day exploit is one that is discovered or revealed the day software becomes available, be it brand-new software, an update, a patch, or a service pack.

    --

    Wordnik, a dictionary project which aims to collect

  15. Re:...or by not using Internet Explorer by dwandy · · Score: 4, Insightful
    IE's market share is still huge, but for the life of me I can't understand why.

    Take Preinstalled Browser,
    Add to Lazy User,
    and mix in a healthy dose of Ignorance.

    Alternate Receipe:
    Take Preinstalled Browser,
    Add Fear Of Change.

    Despite having Firefox installed at home, my wife insists on MSExploder .... I think the linux migration time-table is getting shortened.

    --
    If you think imaginary property and real property are the same, when does your house become public domain?
  16. Re:The facts please by Prospero's+Grue · · Score: 4, Insightful
    On story like this, we need the facts, period. No hype, rhetoric or personal opinions. Only the facts please, because I know members are going to tout the "other browser" as the safer one.

    Now, mod me whatever you want, but the info you provide should be FACTS.

    Fact: A critical security flaw has been found in IE, and the SANS ISC is recommending that people use one of the "other browsers".

    Howzat?

    --
    The opinion above is fiction. Any similarity to real opinions, including facts and logic, is purely coincidental.
  17. Re:Link to a copy? by artifex2004 · · Score: 3, Insightful
    I want to use it on school computers - they wwould just be getting what they deserve for flat-out refusing requests to get Firefox installed.

    So you'd deliberately and maliciously cause problems, just to prove you were on some imaginary moral high ground?

  18. This code by paranode · · Score: 4, Informative

    Will DOS Firefox. Not as bad as an exploit but they have issues to fix as well.

    1. Re:This code by vear · · Score: 3, Funny

      MS-DOS or DR-DOS? I don't know which one is worse.

  19. Gah! by Anonymous Coward · · Score: 5, Insightful

    users do, but they're much further down the food chain

    Except that regular users comprimise a greater number of Internet users. So if Joe Average uses IE, more people are going to be affected by this flaw.

    we'll get the usual set of arguments about browser and OS supremacy.

    If something has fewer security problems, isn't it "superior" in that respect?

    If you can't trust Lynx to be secure, then really nothing is secure.

    Right. Because if something has one flaw, then you might as well not even bother trying, because everything has flaws. I mean, just because IE has had double-or-triple-digit flaws, clearly this one flaw in lynx makes all arguments against IE moot.

    What an inane comment.

  20. DUPE! by andreMA · · Score: 3, Funny

    Oh, wait... it just seems that way. Carry on...

  21. lazy story submitters by mapmaker · · Score: 5, Funny
    Aparently all you have to do is browse the page to be affected.

    What, no link?

    1. Re:lazy story submitters by tpgp · · Score: 3, Informative

      Here you go

      --
      My pics.
  22. Re:Link to a copy? by tomasvilda · · Score: 4, Informative

    Here you can test an exploit on IE: http://www.computerterrorism.com/research/ie/poc.h tm -- http://tvilda.stilius.net/

  23. Thank you by nealfunkbass · · Score: 4, Funny

    The holidays are a time for giving.

    Now that you've RTFA, and you are now looking at the comments page, the staff of Slashdot and EWeek would like to thank you for visiting our web pages and giving us full control of your windows PCs.

    Happy Holidays!

    --
    - Donny was a good bowler, and a good man.
  24. MS anti-spyware utility will stop this by digitaldc · · Score: 4, Funny

    I am pretty sure MS anti-spyware will stop this from launching

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  25. Hmm.... by Lonath · · Score: 5, Funny

    Isn't Google's master plan to take over the world dependent upon people using AJAX? If IE has a critical flaw using javascript, and everyone has to turn it off, then nobody will be able to use Google's new products and... Hey wait a minute.

    --
    Best. Comment. Ever. Enjoy!
  26. Re:...or by not using Internet Explorer by Darth+Maul · · Score: 4, Insightful

    but for the life of me I can't understand why.

    It's very, very simple. People are stupid and lazy.

    --
    --- witty signature
  27. Lynx by Frankie70 · · Score: 4, Interesting

    To be honest, I found it more of a shock that Lynx has a security flaw.

    Why? I haven't looked at Lynx recently, but Lynx used to be a very insecure
    browser - Lynx code had lots & lots of Buffer Overflows.

  28. Duh! (+1, informative) by hummassa · · Score: 3, Informative

    Sony's CD copy protection installs in your Windows machine a rootkit that renders invisible any file whose name starts with '$sys$'.
    The *nix joke "word^Wother" (also written "word^H^H^H^H") meant: i wrote "word", but repented and erased it (with one control-w or N control-h keys) and substituted it for "other".
    The newly made Sony/Windows joke "$sys$word other" means: "word" becomes invisible and, just as in the unix case, I am saying "other" (when I really mean the harsher "word").
    Funny thing is, it's not as funny when I explain it. :-(

    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    1. Re:Duh! (+1, informative) by Omega697 · · Score: 4, Informative

      What he meant was that there were 4 ^W's and when you erase 4 words you wind up with the nonsensical statement in his post.

  29. Re:Opera affected too? by porneL · · Score: 5, Informative

    Not affected. I've tested <body onload="window();"> and nothing happens besides JS console logging "Statement on line 1: The Object does not implement [[Call]]".

  30. Re:...or by not using Internet Explorer by dallask · · Score: 5, Funny

    solution:
    Buy sony cd,
    install rootkit
    rename Explorer to $sys$explorer.exe

    --
    The Code Ninja is swift with his tool, precise in his delivery, and deadly accurate in his execution.
  31. Re:Say goodnight, AJAX by ptomblin · · Score: 4, Insightful

    So? When 90% of your "customers" are being told that they either turn off Javascript or get a virus, it doesn't matter whether the problem is with Javascript or IE - either way, there is no return for adding AJAX features to a web site. I'd rather spend my precious development resources on non-AJAX features that benefit everybody.

    --
    The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
  32. Re:...or by not using Internet Explorer by GweeDo · · Score: 4, Insightful

    Despite having Firefox installed at home, my wife insists on MSExploder

    I don't understand this. You aren't the first person to tell me their Wife doesn't wanna run Firefox. You know what I did. I said to my wife "Wife. IE will break the computer and then I will have to spend all night fixing it rather than doing whatever else it is you wanted me to do.". My wife actually respects that I know what the crap I am talking about (just as I respect what the crap she is talking about in her area of expertice...which isn't IT) and goes with what I say.

    Why don't you people just try explaining the problems to your wife and get over it?

    --
    Unstable Apps: Our Android Apps Don't Suck
  33. Re:The facts please by hotdiggitydawg · · Score: 3, Insightful

    Fact: this bug was reported six months ago, but it is only now that someone has publicly shown how to use it to run arbitrary code.

    Who knows how long other people have been exploiting this bug - potentially in ways not involving Javascript as well?

  34. Get the facts! by Xerp · · Score: 3, Funny

    Have you people not got the facts? Browsing the web using Microsoft Windows - and especially when using the excellent Microsoft Internet Explorer is proven to much more secure than using those namby-pamby, tree-hugging, communist hippy programs you can get, like that Linux thing and Firefox. I mean, no-one uses those things anyway, do they? I always make sure that I am fully patched, and that my anti-spyware and anti-virus programs and up to date. Every morning I check through my root-kit and trojan scanner reports, right after my defrag has finished. I know for a fact that this so-called exploit hasn't affected me in th [NO CARRIER]