Trojan Exploits Unpatched IE Flaw

onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"

Fix just came out.

[suso]

The fix for this is here

Re:Fix just came out.

[tehshen]

Gah! Delf-DH just popped up and redirected me to a fox hentai site.

Re:Fix just came out.

[SatanicPuppy]

...and redirect surfers onto porn sites.

Fix? It's not a bug, it's a feature. Maybe IE is improving!

Re:Fix just came out.

[Mr_Silver]

The fix for this is here

I know you are joking but I notice that if you live in the UK you cannot get hold of an en-GB version of Firefox 1.5.

It seems a bit odd that Slovenia (population 2,011,070), Norway (population 4,593,041) and Finland (population 5,223,442) can all have 1.5 produced before us despite the fact that their population numbers combined are significantly less than the 60,441,457 for the UK.

(It's not like we're a backwater either, we have the second highest number of internet users after Germany)

Hopefully it'll be ready after the weekend.

Re:Fix just came out.

[realnowhereman]

I like en_GB as much as the next man; but I'd hazard a guess that en_GB is lower priority as we can get by perfectly well with en_US. Slovenia, Norway and Finland - probably not so much.

Re:Fix just came out.

You'd be surprised.

Re:Fix just came out.

[Johnny+O]

If you are... I am...

Re:Fix just came out.

[MtViewGuy]

That would be great if you didn't have to update all your themes and extensions and/or wait for updated themes and extensions just to support Firefox 1.5. You'd think everyone would be more timely on this.

Re:Fix just came out.

[Mr_Silver]

What exactly is different between en_US and en_GB versions?

Not really sure, but you do get problems trying to use some of Google functionality and some financial sites because it thinks you live outside of the UK.

I'm sure you probably could download an extension to fix all of those issues ... but given that I have enough installed already, I'd rather not.

Re:Fix just came out.

[Crayon+Kid]

Unfortunately, Firefox 1.5 is also affected by the bug. Granted, it only freezes up and has to be killed manually, so it's not as severe as remote code execution. Still...

Re:Fix just came out.

[Ansonmont]

I thought "Cache" was "lorry" in en_GB and "boot" was the trunk of the software tree. Might be wrong 'bout that though.

-A

Re:Fix just came out.

[RandomPrecision]

Particularly since Firefox actually had RC's. You'd think they could be updated in that time. Until then, I use this extension to force compatibility. 95% of my extensions aren't actually incompatible with the new versions.

Re:Fix just came out.

[jtorkbob]

That's why I run the NoScript extension. Makes me that much freer to to click links in /. sigs.

Re:Fix just came out.

[ratpack91]

they don't use your browser to determine where you are. They use your IP address. duh

Re:Fix just came out.

[mrchaotica]

Wouldn't that depend more on IP address than character set?

Re:Fix just came out.

[Ford+Prefect]

I know you are joking but I notice that if you live in the UK you cannot get hold of an en-GB version of Firefox 1.5.

It's very rare that we get en_GB 'translations' for anything - I would be surprised if the translated Firefox has more than just a couple of words changed in it. I've been using the US version and had no problems whatsoever.

If anything, having a British English interface feels really weird, and I kind of do a double-take when I see words like 'colour' spelt correctly on a computer - my iBook's language is set to British English and it still uses American spellings everywhere apart from the default spell-checker. (Although Tiger's a slight improvement over Panther in one respect - Safari used to send a weighted list of acceptable languages in requests, and many servers got confused and sent me French or Japanese when they couldn't find the initial en_GB. Now that was a bug!)

Re:Fix just came out.

[uNople]

Just use MR Tech Local Installs. It has options when installing to disable max version checking, which means it installs and enables anyway, even if it's not compatible. It also has a "Make compatible" option which forces the extension to be enabled.

Oh, and the fact that Firefox crashes when it encounters this bug... it reminds me of a good BOFH quote: "We came in this morning to find that our router had stopped a DDoS attack by crashing. It stopped that attack good!" (Actual quote may be different, this if from memory)

Re:Fix just came out.

[mikefe]

I have tested it myself, and Firefox does not crash, it just takes a *long* time to render the page.

This shows that the renderer needs to be threaded to allow for multiple renderings to take place at once.

Or at the very least, the UI and renderer need to be on seperate threads.

Re:Fix just came out.

[moro_666]

repeat that feature sentence again when your mother is accidentally behind your machine with your daughter to watch together a barbie site ...

bandage barbie, uh oh ...

Re:Fix just came out.

[SatanicPuppy]

Heh. Welcome to the wonderful world of the Internet, where you can never be sure the file you're opening wasn't put there as a practical joke by someone into fecal fetish porn.

Re:Fix just came out.

[whitehatlurker]

Firefox 1.5 is also affected by the bug

Really? I know that FF 1.0.x was (I tested it), but 1.5 seems to work okay.

Opera isn't affected. ;-)

Thank god...

Thank god I still use Mosaic. Hey, if it ain't broke...

Re:Thank god...

[timster]

Oh gods... if it ain't broke, it ain't Mosaic.

Re:Thank god...

[uberjoe]

That's why I use Links.

Dupe...

[NardofDoom]

We heard about this same sort of thing hundreds of times. The editors really need to read the articles more carefully...

This is great!

[GauteL]

"elf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites."

So it is basically automated pr0n! From now on, you won't have to use your left hand.

Re:This is great!

[failedlogic]

I'm on a Mac. Can I still get infected? I have no anti-virus, hoping that a virus like this would be released.

I might switch back to Windows afterall.

Re:This is great!

[HugePedlar]

Elf-porn is somewhat of a niche market, though.

Re:This is great!

Elf-porn is somewhat of a niche market

I'd certainly enjoy being stuck in a nice wooded niche with Liv Tyler, Cate Blanchett, and some hot grits. Heck, Orlando Bloom can tag along too as long as he understands I'm da man.

Flaw?

[CaymanIslandCarpedie]

and redirect surfers onto porn sites

Sounds more like a feature to me ;-)

Re:Flaw?

[TangoCharlie]

Duh! I just downloaded Firefox 1.5 too! How do I set IE as my default browser again?

Re:Flaw?

[TCFOO]

Sounds more like a feature to me ;-)

Unless you don't want to see that stuff.

Think about this. 10 year old little Jimmy is on Yahoolagins playing Go Fish, and Delf-DH desides to work its majic jest as his mother walks into the room. The poor kid is going to have a sore rear end because of some malware and an IE security flaw.

Re:Flaw?

[matth]

Well.. what is little billy doing running as an administrator? Oh his parents.. hrmm clearly they didn't know how to use a computer... sucks to be billy... but hey... irresponsible parents.. There should be a requirement to have a license to get on the internet.

Re:Flaw?

[jtorkbob]

Maybe young William wants to play one of these games and so dad let him have admin rights?

Re:Flaw?

[giorgosts]

Would code be executed when the user has no administrative priviledges?

Re:Flaw?

[SilentOne]

If Billy is playing Barbie as Princess Bride, I think his parents might be a bit more concerned then if he's looking at pr0n, at least in America.

disable active scripting ...

[digitaldc]

...or enable inactive surfing

Re:disable active scripting ...

[tehshen]

Disable what? Enable what? IE should be secure, I shouldn't need to work around it.

Re:disable active scripting ...

[digitaldc]

agreed, just summarizing the temporary 'fix' for it.

It's not a patch, it's a new feature?

Re:disable active scripting ...

[BushCheney08]

...or enable inactive surfing

I'm trying, but I can't find it. I've looked all over in Tools > Internet Options. I figure it would be under Accessibility (sounds like it would), but no luck... : /

Re:disable active scripting ...

[tehshen]

I was trying to say that Microsoft should never offer this as a patch - it's not a patch, it's just turning off functionality, akin to fixing a leaky pipe by disconnecting the water. (Though as a temporary fix, it works)

Re:disable active scripting ...

[digitaldc]

Their reply would be: you really don't need the water anyway.

Re:disable active scripting ...

[digitaldc]

Tools > Internet Options > Advanced > Security > -Checkbox for- Allow active content to run files on My Computer?

Re:disable active scripting ...

[naelurec]

Their reply would be: you really don't need the water anyway.

If thats the case, why did they provide water in the first place? :)

Re:disable active scripting ...

[Xugumad]

If you want a secure browser, can I recommend Lynx?

Seriously though, the IE devs could either spend their time working on shiny new features, or they could work on security testing it, and as much as I hate to say it, most people will go for the version with more features and less security.

If you fancy a compromise though, disabling scripting will give you a lot more security (how many exploits in browers, over the last few years at least, haven't required Javascript/Active X?)...

Re:disable active scripting ...

[m50d]

And yet when someone suggests a firefox extension as a fix for something, that's all well and good.

Re:disable active scripting ...

[jackbird]

Or some could do each. It's not like they're hard up for programmers or salaries.

Re:disable active scripting ...

[mslinux]

True... it's not like they don't have backdoor access to all of these XP machines ;)

Re:disable active scripting ...

[budgenator]

I just don't understand MS's security paradigm, the other day I downloaded an upgraded flash player and stored it on my desktop, then I right-clicked to installer and clicked run as admin, Windows XP said I didn't have suffient privelages to open the file! Admin can't open a file saved by a normal user; WTF, that's certainly an unexpected behaviour, especialy to someone who is used to

su -c"rpm --install whatever"

. You'd think that they would write and compile a program

main{exit(0);}

I could just copy it to

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\KVG.exe
C:\Documents and Settings\<username>\Start Menu\Programs\Startup\keks.exe
C:\windows\all.exe

make them owned by admin and be done with it.

Re:disable active scripting ...

[GarfBond]

That would be a fix for a feature request, not a security patch. I've yet to hear of a real security patch being offered up as an extension (the one instance that happened, Firefox 1.0.1 or something, was because it was a simple pref change and not something to requires a rebuild). Firefox security fixes are fixes of the actual program. Extensions add features that aren't there.

But of course you're not flamebaiting unintelligently and already knew that.

Re:disable active scripting ...

[m50d]

That would be a fix for a feature request, not a security patch. I've yet to hear of a real security patch being offered up as an extension (the one instance that happened, Firefox 1.0.1 or something, was because it was a simple pref change and not something to requires a rebuild).

The per-domain javascript whitelisting one quite frequently is. There was a real patch released as soon at the exploit I'm thinking of became known, but people were getting +5s for saying "that's why I use this extension, I'm not vulnerable at all".

Re:disable active scripting ...

[PhrackCreak]

'Insightful?' Puh-lease.

This is just made up garbage, and probably just a troll. Assuming it is not, are you able to point to a single place anywhere on /. where someone suggested a firefox extension to fix a security hold where it was received as 'all well and good?'

Re:disable active scripting ...

[m50d]

'Insightful?' Puh-lease. This is just made up garbage

Welcome to slashdot.

Assuming it is not, are you able to point to a single place anywhere on /. where someone suggested a firefox extension to fix a security hold where it was received as 'all well and good?'

Yes I am.

Re:disable active scripting ...

[16K+Ram+Pack]

go on then...

Re:disable active scripting ...

[m50d]

No, I don't have time to.

what's the problem... ;)

[Dtyst]

Average joe search for p0rn
He fins a site with virus that gets installed on his computer.
Virus finds the pr0n for him....
Both win!

Re:what's the problem... ;)

[LifesABeach]

Well, this does answer some critical marketing questions of why IE is so well recieved in the "internet community". With all due respect to the virus writer, and the efforts this person put fourth into their craft; Um, what are the addresses of those porn sites?

Re:what's the problem... ;)

[moro_666]

i just thought that it may look cool on the huge screen displays on the streets that are powered by windows ... nice full screen kiosk mode pr0n all over the place ....

so you see, switching to linux doesnt always pay off, because you miss the Incredible pr0n Explorer alias IE!

Re:what's the problem... ;)

[Rakshasa+Taisab]

Joe wants girls kissing.
He gets, girls wrestling
with dicks.

Wait a minute!

[ThatGeek]

You mean that IE isn't 100% dedicated to perfect security?

I don't see the point of these announcements. People who care about not getting hacked are using Firefox, Opera, Safari or Lynx at this point.

People who still use IE... well... they probably won't do much in response to this warning anyway.

Re:Wait a minute!

[colinu]

Anyone using IE doesn't know what a trojan is.

Re:Wait a minute!

[supra]

> People who care about not getting hacked are using [a non-IE browser]
Unfortunately there are still some sites that require IE, if for no other reason than ActiveX.
A friend works w/ a site whose interface is primarily ActiveX. He doesn't want to use IE, but at least for that site, it's his job if he doesn't. That starts the snowball effect (personal settings, bookmarks, default browser, etc) which makes it harder to *only* use IE for that particular site.
Sad but true.

Re:Wait a minute!

[Brunellus]

Today being World AIDS Day, it would be a good day to educate them.

Re:Wait a minute!

[Shawn+is+an+Asshole]

Aren't those what you put on your dicK?

Re:Wait a minute!

[Shawn+is+an+Asshole]

You should tell him about Netscape 8. It uses the Mozilla engine but can be configured to use the IE engine for certain sites. I use that for a few of the apps at my college that require IE.

Re:Wait a minute!

[jav1231]

Careful...I feel a "Flamebait" mod coming.
Of course, you have an excellent point, but SOMEONE will not like it.

Re:Wait a minute!

[supra]

> You should tell him about Netscape 8
Thanks for the suggestions, but unfortunately he is one of the masses (ie. average user). If IE works (now that's a subjective term, huh?), he'd rather use it w/ the risk of being vulnerable than try something different.

Unfortunately, I've found most people are willing to take the risk by justifying it with "it won't happen to me, I only visit 'safe' sites." Without any technical knowledge on the subject, and even worse, ignorance to learn, people just use what's available even if it's not optimal. Hence IE's market share. Anyone w/ 3 brain cells knows it's sufficiently lacking to most alternatives.

I don't need...

[wolf31o2]

A trojan to redirect my browser to porn sites. I do that well enough without the assistance. *grin*

Very Scary!

[roman_mir]

Apparently this wild trojan uses IE to direct a very specific type of attack against /., which results in dupe stories being posted!

I hate this style of commenting.

[Vo0k]

"The Register reports on a [[register article|trojan spotted in the wild]] that takes advantage of the so-far unpatched IE [[|Slashdot story|vulnerability]] mentioned on Slashdot earlier this week."

That should be done like this:

"The Register [[register article|reports]] on a [[a page with the trojan|trojan spotted in the wild]] that takes advantage of the so-far unpatched IE [[How to exploit?|vulnerability]] [[Slashdot story|mentioned on Slashdot]] earlier this week."

Re:I hate this style of commenting.

[alexhs]

> [[a page with the trojan|trojan spotted in the wild]]

Click !

Thousands of Slashdotters using IE (at work!) just did infect their computers (and the whole LAN at the same time).

Tenths of thousands rambling because the trojan has been Slashdotted already !

porn on linux

[lithod02]

So, if I run IE under wine on linux I can get all the free pr0n delivered to my desktop. Nice. Click the big blue "E" for free e-pr0n

Re:porn on linux

[Rick17JJ]

It is actually possible to run IE under Linux, at least the the Codeweavers CrossoverOffice version of Wine. It really is possible to have a big "E" on your Linux desktop. Of course there are actually better browsers available for Linux. I would not really want to do that but here is info:

Running IE 6.0 under Linux

I don't have any idea if that particular trojan would run on IE under Wine in Linux. But, earlier this year someone tried to make some viruses to run under Wine. He wasn't very sucessful at that. Not a single virus was able to send email and propagate itself. Here is his article about tring to run viruses under Wine on Linux:

Running Windows viruses with Wine

I don't actually visit porn sites very often but have occasionally done that over the years while using Linux. I remember trying to download a few photos once and two of the supposed photos actually ended in .jpg.exe. I was glad that I was not running under Windows and IE at the time. Most likely, they were targeting their Windows using visitors with some kind of trojan, spyware or browser hijacker. Fortunately, Linux browsers do not automatically try to run Windows .EXE files under Wine. Does Windows still allow ActiveX controls and VBScript to enable Windows machines to be taken over automatically? Linux browsers do not support ActiveX and VBScript and they do not allow things like that to happen automatically. Most Linux users also do not run as "root" with administrative priveleges most of the time like most Windows users do on their home computers. Not running as "root" adds additional protection.

The moral of the story is, if you want to visit porn sites, don't do it while running Windows and IE. Use a Mac or Linux for that purpose instead. Visiting porn sites is like the Internet equivalent of a bad neighborhood.

Silly h4x0r, Lynx is for Terrorists!

[Brunellus]

Except that using Lynx tells the authorities that you are a malicious h4x0r...apparently, using a "non-standard" browser will cause the SWAT team to descend on you in true Terry GilliamBrazil style.

Oh come on!

[null-sRc]

Hole in IE?

Exploited?

Must be a slow news week.

One Care Live

[VisceralLogic]

Maybe they're selling the fix through the new anti-virus software?

Crapware

[PacketScan]

Would this be the 6 month old exploit that MS didn't feel was important enough to take care of? Complete Crap..

This is the perfect example

[this+great+guy]

...of why we say that MS doesn't care enough about the security of its users. MS should be even more committed into improving the speed of development & QA of security patches. This particular zero-day vuln is known since at least one week, and MS still hasn't distributed a fix. Delaying the release of a fix to Patch Tuesday doesn't make any sense when the vuln details are already publicly known. They should at least release beta patches (if the QA process is not yet complete) for users who NEED security and can afford potential stability problems. Other users can wait for Patch Tuesday if they want.

But one week is nothing compared to other vulns. Look at this list of other currently unpatched holes in MS products: http://www.eeye.com/html/research/upcoming/index.h tml. Some of them has been reported months ago and are still unfixed. This is inadmissible for a multi-billion dollars company.

Re:This is the perfect example

[ravenwing_np]

Ok, I really offended by the suggestion to release something that hasn't finished the QA process. There could be something dangerously broken with the mystical "patch" you speak of (which might or might not exist), but you want it out in the world anyway. If they did release something that caused more problems than it solved (has happened before) you'd be crying bloody murder at them for releasing something before it was ready.

It isn't like they have a wall of potions and just mixing the right combination would solve a problem.

Re:This is the perfect example

[BRSloth]

This particular zero-day vuln is known since at least one week, and MS still hasn't distributed a fix.

I'm willing to give them the option that their code suck so much that fixing this would take more than a week.

Re:This is the perfect example

[this+great+guy]

No, releasing beta security patches would be good, this is what Sun does for Solaris for example. Because with beta patches the users have the choice of applying them or not, while the current MS policy leave no choice to users.

Is it so hard to understand ?

Re:This is the perfect example

[Dan_Bercell]

Solaris doesnt cover as many systems as Windows, please dont try to compare them.

1. Windows covers a lot more areas then Solaris, and more people use it, thus screwing up a patch for Windows will really screw up a lot of people compared to a Solaris.

2. Windows Works with proably 1000x more software packages then Solaris does, thus rushing patchs has a much higher chance of screwing people up then a rushed Solaris patch.

3. Solaris is a dying product, sounds like these 'beta' patches are more of a marketting thing, what admin would push out beta patches to an entire network? By the time he was done 'testing' the patch, the real patch would be released and he would have to start the test all over again.

Re:This is the perfect example

[this+great+guy]

You obviously don't get my point. Please reread my post while ignoring the Solaris part. I wasn't trying to compare it with Windows.

Re:This is the perfect example

[Tschepsit]

This is inadmissible for a multi-billion dollars company.

No, this would be standard practice for a multi-billion dollars company. Left hand, meet...oh crap, where'd right hand go?

Re:This is the perfect example

[SuiteSisterMary]

Of course, this is the same Sun that puts out patch revisions; sometimes, you have to upgrade (or patch) your patches....

i need a copy please

[LodCrappo]

could anyone point me to where I might pickup this gem of a virus? I'm a little bored and was hoping to "research" the auto-pr0n capabilities. Reinstalling IE now...

Re:i need a copy please

[Shawn+is+an+Asshole]

How did you uninstall it in the first place? The only way I know it to use something like Revenge of Mozilla or 98lite, but those only work with 98. With XP and 2k, it seems the best you can do is hide it.

Re:i need a copy please

[LodCrappo]

yeah, you can "remove" it by add/remove programs, windows components.. but i think it's still there really. most machines I've seen seem to fire it up if you run "iexplore" regardless of whether its technically installed. microsoft bastards. but i think maybe windows can't really run without it. -Lod

Re:i need a copy please

[coofercat]

Absolutely seriously, if 10% of the people reading this put that exploit on their respective blogs, that'd end up creating something of an epidemic.

Whilst intentionally causing people problems is reprehensible, there's a side of me that thinks this is a bit of 'tough love'. If someone's still stupid enough to use IE, then maybe they need to be 'shocked' into understanding?

Then again, that's just wishful thinking, and all we'd have is an epidemic of pr0n surfing ejits who can't work out where the power button is. Okay, I'll shut up now...

Re:i need a copy please

[bprime]

You'll need a serial number to reinstall Internet Explorer. Here, borrow mine:

"FCKGW-..."

Microsoft Security Ads

[KilobyteKnight]

Anyone else find it ironic that the page has ads for Microsoft "secure" network tools and trojan blocking? There was one when I first vied the page. I did a reload and it showed a different one on the same theme.

Re:Microsoft Security Ads

[parodyca]

Nope. How about some ad blocking though? http://adblock.mozdev.org/. You'll never have to view such bunk again!

In other news...

[ZachPruckowski]

The Sky is blue!

Bears still crap in the woods!

Amazingly, the Pope is Catholic!

Re:In other news...

[varmittang]

Well, the joke is that the Pope is a Baptist:

Catholic: Who do you confess your sins to?
Baptist: God. So, who do you confess your sins to?
Catholic: A priest.
Baptist: I heard about that, who does the priest confess his sins to?
Catholic: A bishop.
Baptist: Who does the bishop confess his sins to?
Catholic: A cardinal.
Baptist: Who does the cardinal confess his sins to?
Catholic: The Pope.
Baptist: Okay, who does the Pope confess his sins to?
Catholic: God.
Baptist: Oh, so the Pope is a Baptist!

Re:In other news...

[metternich]

Actually a priest can take anyones confession, so the Pope confesses to a Priest as well.

Suffer in silence

[Billosaur]

I'm beginning to suspect that all these IE vulnerabilities are a marketing ploy. Let's face it, there's got to be 100 articles a week on IE vulnerabilities, keeping IE in front of everybody, while Firefox & Opera get so little coverage (except for maybe on /.). Of course if this is true, then it just goes to prove how genuinely stupid and useless marketing people really are...

Lets keep it fair!

[XMilkProject]

Before everyone gets too worked up bashing IE, as in the previous few articles on this exploit, let's remember that this problem was freezing/crashing FireFox 1.5 also.
Although the security threat isn't existent in FireFox, the browser still fails on these pages.

Now before I get flamed, let it be known that I think IE is a disaster and it's lack of standards compliance is one of the main things holding back proper advancment in web technologies, but we don't want to go and be unfair when our browser crashes too!

Re:Lets keep it fair!

[amrust]

I agree, fair is fair. But /. has been pretty good about making a big deal over "flaws" in Firefox, lately. It wasn't too long ago that I recall reading here almost once a week about some "new security vulnerability" in Firefox.

Of course, I'm bitter about IE this week anyway, after trying like crazy to get IE to work with Outlook Web Access, for my wife in her office at home. Ran every update Microsoft asked for, searched every Knowledge base article I could find. No help. How did I resolve it?

I switched my wife to Firefox, and it works just fine. One of her department heads (after telling them about how we fixed 'her email problem') basically replied "that's what we use at home, too. It's better and more secure, anyway."

Microsoft better watch out. Like it or not, Firefox is creeping up on them, little by little.

Re:Lets keep it fair!

[ZachPruckowski]

Although the security threat isn't existent in FireFox, the browser still fails on these pages.

"$RANDOM_WEBSITE crashes a browser" isn't worth a news article. It's worth a bug report, and a fix, either to the site or to the browser, but it isn't worth a news story. Major crashes and computers being remotely controlled, however, is a big deal.

Re:Lets keep it fair!

[GweeDo]

Actually it doesn't freeze/crash FF. It just takes 90 seconds to two minutes to render the 200k+ char string that is getting passed to the prompt() for this exploit to get started.

Re:Lets keep it fair!

[dreamer-of-rules]

"$NOT_SO_RANDOM_WEBSITE crashes a browser" IS noteworthy. If a browser accepts untrusted data, then is closed by the operating system for doing something un-program-like (in other words, crashing), then it reveals a programming flaw that might be exploited six months down the road.

Browsers should never crash.

Re:Lets keep it fair!

[ZachPruckowski]

If a browser accepts untrusted data, then is closed by the operating system for doing something un-program-like (in other words, crashing), then it reveals a programming flaw that might be exploited six months down the road. Browsers should never crash.

Ideally, they should be free of crashes, but we're on the topic of "Let's keep it fair!", and I'm saying the Firefox reaction isn't as big a deal as the IE reaction. I'm not saying it doesn't need to be dealt with. It clearly does. I'm saying it isn't unfair to say that Firefox handles this better, since crashing is far better than surrendering your computer to remote control.

Re:Lets keep it fair!

[XMilkProject]

I agree with you, Microsoft has really let down their customers by trailing behind in the browser world. I don't have a problem with Microsoft, and If I sit down at a windows box I would prefer to be able to use the built in browser, but unfortunately it rarely provides even the most basic functionality/support. I recall reading a microsoft blog from the developers tasked with updating IE, and they kept saying "No, we didn't have a chance to make IE pass |insert any rendering test here|" or "No, we didn't get time for that feature either, we were too busy on security".

I understand that becuase of IE's integration into windows that security may be more complex than for Firefox, but I can't fathom why microsoft can't summon the resources to handle both security issues AND features.

On something like Outlook web access, it is always a bit of a trade off using firefox, as the integrated security features are of course not available as they would be with IE, so you will typically have to log in manually... And in addition, those microsoft built pages typically behave better with IE. I personally do the same as you mentioned though, using firefox to access my outlook web access, sharepoint, etc.

I agree with the other posters that of course the IE vulnerability is far more of a threat than firefox's inconvience of freezing on this sort of script. I never meant to say otherwise. Although I must say that I am unable to get the IE vulnerability to expose itself, my IE just crashes/freezes up, even on lowest security settings, which appears to be the effect most people get. Perhaps the vulnerability is not as widespread as originally though? Or maybe it was a bad implementation of the exploit.

Regardless, I will continue to use firefox for consistency across operating systems and its ability to avoid most spyware/adware/etc.

Re:Lets keep it fair!

[dreamer-of-rules]

The difference between crashing and surrendering your computer to remote control is in the data. I mean, this six-month unpatched IE vulnerability was low-priority because it "only crashed" IE. It wasn't until recently that someone figured out the right multi-thousand character string that changed it from "crashing" to "zombie".

That being said, not all crashing is exploitable, but I distrust those who say they can tell which is and which isn't.

Hello.... trojan?

[Spy+der+Mann]

What the article doesn't tell, is that sometimes, the virus redirects to goatse.

GAHHHH!!!!

Heheh. Just kidding.

Fortunately

[Asztal_]

The exploit never worked for me anyway, so I don't think I have anything to worry about ;)

Flaw

[certel]

One could make updating IE a full time job. It's rather annoying that you have to worry about this type of thing while browsing the internet.

Re:Flaw

[antispam_ben]

One could make updating IE a full time job.

Oh, you mean just INSTALLING patches! At first read I thought you meant WRITING the patches.

I suspect Microsoft already has a person assigned to writing IE patches. Maybe they're splurging and have two people assigned.

Re:Flaw

[mrchaotica]

Well, of course! Why else do you think Microsoft has a MCSE program? Microsoft makes money coming and going -- first by saving money writing quick-and-dirty code that allows exploits to happen, then again by charging money for training people on how to clean them up! In fact, this tactic is working so well for them that they're expanding into selling anti-virus/malware software too. Isn't Bill Gates a genious, for figuring out how to create his own market?!

Not a Dupe...

[doublem]

It's not a dupe, we just see so many of these kinds of stories that it SEEMS like a dupe.

the essential difference:

[design+by+michael]

crumpetts and tea are compiled with the GB version ;-)

Re:the essential difference:

[SteveAyre]

I'm currently sitting at my computer with crumpets and a cup of tea, you insensitive clod! ;)

Re:the essential difference:

[design+by+michael]

Why yes, I'm insensitive. Mr. Bush is my role model - imposing personal opinions and agendas upon the world at large. Can you hear that glory train a comin'? Freedom is marching trampling on.

*wink wink*

Nah, I love crumpets-n-tea and our friends across the pond.

I hope you patched your OSX!

[NineNine]

Oh right. OSX is perfectly safe and invunerable... so long as you patched a few unpatched critical security holes yesterday, and weren't previously infected...

http://news.com.com/Apple+releases+OS+X+security+p atches/2100-1002_3-5976718.html

Re:I hope you patched your OSX!

[Tibor+the+Hun]

well, you just have to ruin everything don't you.
thanks for the link, and I'll make sure to drop by your website later.
sounds intriguing.

Emergency patch!

[yapplejax]

Apparently, Microsoft is preparing an emergency patch for this.

For once a reason to use Windows

[tomhudson]

... and redirect surfers onto porn sites.

For once, a reason to use Windows

... so when will they release a linux version? :-)

We all know how this started

[eheldreth]

Some hacker kid got caught by his mom with the pr0n and had to write a virus to blame it on. I would condem his evil actions but I'm more upset I did not think of it first.

...is absurd and should be illegal!

[mrchaotica]

You know, if it were any other company than Microsoft, people wouldn't put up with such a thing. Microsoft selling anti-malware software would be like a car company forgetting to put brakes on their cars, and then charging for the fix! But a car company wouldn't be allowed to do that; they'd instead have to do a recall and fix the problem at their own expense. Why is Microsoft allowed to get away with it?!

MS updated Live but not IE...

[MWales]

So, the vulnerability is 6 months old, and it never got fixed as a minor risk. It got escalated to a highly critical risk (by almost all security bulletin systems) over 1 week ago, when a proof of concept came out showing that a malicious site could cause take control of PC remotely. Now there is even malicious trojans out on the net exploiting this hole in IE.

So in 1 week, what did MS do? The promoted their new Live product of course. Microsoft released a security advisory stating that no patch exists to fix the problem, but you can visit the Windows Live Safety Center and get the trojan removed by Microsoft. So instead of using some resources to fix the problem, they instead devoted resources to their "anti-virus" software, and promote it as the workaround. Well, one wonders, if this causes them to get significant visibility and traffic to their new product, why bother even fixing the original problem?

Re:MS updated Live but not IE...

[CXI]

MS is a company made up of lots and lots of divisions that all do their own thing. So the Live group was able to figure out the trojan and put in a simple script to delete the executable before the OS group could re-engineer a chunk of IE. Big deal, sounds pretty normal to me. I think you're trying to invent a conspiracy. It's not like all however many thousands of MS employees all work on all of the same things at the same time, which you seem to imply.

hmmmm...

[IronMagnus]

"redirect surfers onto porn sites."

This doesn't sound like such a bad trojan afterall.

Re:energy is liberated through blasphemy

[GNUALMAFUERTE]

Amen.

Showing religious people how wrong they really are with constructive methods that helps our society grow would be better.

But i must agree that just blaspheming is funnier, more satisfactory, and will achieve as much as the method described above, since people is blind and stupid.

Re:Stop it SONY!

[GNUALMAFUERTE]

That's something i didn't understand. Why would you put copy protection on a CD nobody would copy?

On certain things sony has released, i would put burning and massive destruction protection ;-)

i dont know

[akhomerun]

i really don't know of anyone still using IE besides the retards who run the technology in public areas that assume that anything besides microsoft's standard software setup is incompatible and compltely unusable.

Minor Correction

[tacokill]

"This is inadmissible for a multi-billion dollars company."

Strike that. This is inadmissible for a multi-billion dollar company who claims security is priority one.

doesn't fix anything

[geekee]

see here. I'm tired of open source zealots who don't even understand that the software they used is not secure.

Re:doesn't fix anything

[Crayon+Kid]

I'm tired of open source zealots who don't even understand that the software they used is not secure.

Yes, I can totally see the resemblance. On one hand, Mozilla and Firefox with a patch already available for a two-week old problem, and on the other Explorer with no patch for a 6 month old problem. It's like looking into a mirror.

Oblig 'Soviet Russia' Reference

[mattwarden]

In Microsoft Internet Explorer, porn finds YOU!

Re:energy is liberated through blasphemy

[joe83]

Rather laugh with the sinners than cry with the saints anyway, so there. BTW, why in the hell does anybody still use IE ?

3rd time reported, and its still not news

[GISGEOLOGYGEEK]

Thanks slashdot, you've now reported this non-story 3 times.

How about we start reporting every little problem with non-MS products 3 times each ... instead of maybe reporting every 5th problem.

It's time for a little balance here!

Hmmmm.........must be a dupe.

[Rank_Tyro]

I think I have seen something like this before.

Somebody did the whole 'Jedi hand wavey thing on me'..."This is not the exploit you are lookin for."

Re:energy is liberated through blasphemy

[GNUALMAFUERTE]

maybe my english understanding is a little low today, or those vodka shots made effects, but i don't really understand your post ... please clarify ...

About IE ... well, the actual question would be why is people still using windows, but, then again, people still beleive that there is a supreme perfect being ... so, it's not suprising that most of the world still uses IE ...