Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Critical Hole Found in IE

Posted by ryuzaki0 on from the must-be-thursday dept.

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

13 of 336 comments (clear)

  1. Just by Eightyford · · Score: 1, Informative

    Just stop using activex.

    --
    Religion for nerds. Stuff that really matters
  2. Not possible. by babbling · · Score: 4, Informative

    Can't... it's required for Windows Update! If you don't update, you're screwed!

    Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist?

    1. Re:Not possible. by bedroll · · Score: 5, Informative
      Disable ActiveX in the Internet Zone and add *.windowsupdate.com and *.microsoft.com to your trusted sites.

      ActiveX really should only run from trusted sites anyway.

  3. Re:Good week for MS by stupidfoo · · Score: 2, Informative

    Well, of course it can, that's the point of an HTML Application. The problem is that they can be executed without the users permission.

  4. Re:Dupe! by WillAffleckUW · · Score: 3, Informative

    No, according to InfoWorld, there are two bugs, so it's not a dupe, it's a second bug.

    But, good catch!

    --
    -- Tigger warning: This post may contain tiggers! --
  5. Slashthink. by Captain+Scurvy · · Score: 3, Informative

    So collectivist nerds can sit and giggle self-contentedly to themselves when MS looks bad.

  6. MS Claims Latest IE 7 Beta is not Susceptible by squidguy · · Score: 3, Informative

    The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog.

    Per the same blog, the 20 March release of IE7 Beta is not vulnerable.

    Caveat emptor... I haven't tested it.

  7. Re:Easy formula by yammosk · · Score: 2, Informative
    In the same vein (but totally against any mathematical logic), any company (including evil ones) that are associated with Open Source and/or Linux automatically become good.

    Oracle == Evil
    Oracle * Linux == Good
    China == Evil
    China * OSS == Good


    Obviously OOS and Linux are and absolute value functions.

    Oracle == Evil
    Linux(Oracle) == Good
    China == Evil
    OSS(China) == Good
  8. not as bad is it sounds by tota · · Score: 2, Informative

    for sure, I don't mean to be defending IE, but according to the original bug report (copied from Full Disclosure ML):
    *******
    I can't find any info on this delicious IE bug, but it seems to be publicly known:

                    r=document.getElementById("c");
                    a=r.createTextRange();

    It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested with, including crashing. It works on these versions of mshtml.dll:
    XP SP2: 6.0.2900.2802 - latest
    WS2003: 6.0.3790.0
    *******

    So EIP goes to a random address, big deal. This is not exploitable unless you can allocate a huge chunk of memory and place lots of NOPs followed by the payload, then you've got to hope the random jump lands in that region. Not likely to work.

    This is bad (crash) but not remotely exploitable (no worm on the horizon)

    --
    TODO: 753) write sig.
    1. Re:not as bad is it sounds by say · · Score: 2, Informative

      I doubt the code says EIP.jumpTo(rand.newInt()). There is probably a way to foresee what address the EIP will pick, and that makes this potentially exploitable. But obviously it would be very, very difficult.

      --
      Roses are #FF0000, violets are #0000FF, all my base are belong to you
  9. Updates are necessary, Windows Update is not by InvisiBill · · Score: 3, Informative

    I can't remember the last time I used Windows Update. Automatic Updates does most of what I used WU for, even more easily. If I want other updates, Windiz Update is very similar, but works in non-IE browsers.

  10. Re:Safest browser ever available by Beryllium+Sphere(tm) · · Score: 4, Informative

    The only thing funnier than jokes about Lynx vulnerabilities is that there have been real ones. Remote shell access in Lynx, Lynx command injection, Lynx NNTP buffer overflow.

    Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.

  11. Doesn't help by Bacon+Bits · · Score: 2, Informative

    Disabling ActiveX doesn't help. The workaround is to disable active scripting. That will also disable everything in , , and tags. That means everything from Java applets and Flash to JavaScript (and therefore stuff like AJAX and most DHTML events).

    In other words, the "fix" is to use your browser in 1995 mode.

    --
    The road to tyranny has always been paved with claims of necessity.