Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Critical Hole Found in IE

Posted by ryuzaki0 on from the must-be-thursday dept.

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

36 of 336 comments (clear)

  1. Patch available by thrillseeker · · Score: 5, Funny

    here

    1. Re:Patch available by babbling · · Score: 3, Funny

      That won't fix the problem completely. To complete the fix, iexplore.exe should be replaced with a program that runs firefox.exe instead.

    2. Re:Patch available by Stellian · · Score: 5, Insightful

      Mozilla has bugs to. Lots of them. The difference, however is the time it takes to patch them.
      Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
      It was only when I have rediscovered the bug, and posted an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
      I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.

      --
      Stelian ENE

    3. Re:Patch available by weisen · · Score: 4, Insightful

      I think that it's a matter of attitude, also. The referenced security blog says:

            We're going to continue to look into this but remind you also that safe browsing practices can
            help here, like only visiting trusted websites, etc.

      The idea that the user should be careful about which sites they browse to is insane. It's hard to imagine a corporate culture that thinks this way, if it's a pervasive attitude, ever producing a reasonably secure product.

      It's one thing to expect the user not to download an executable and then run it as Administrator. It's quite another to expect people to be "careful" which Google hits they click on.

  2. Highly Critical Hole Found in IE? by Anonymous Coward · · Score: 5, Funny

    Must be thursday.

    1. Re:Highly Critical Hole Found in IE? by lowe0 · · Score: 4, Funny

      I could never quite get the hang of Thursdays.

  3. Perhaps it would save time... by Threni · · Score: 5, Funny

    ...if researchers just identified the bits that *weren't* totally insecure?

  4. It is not a dupe! by Life700MB · · Score: 5, Funny


    It's a brand new hole!


    --
    Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95

  5. Re:GAH by dotpavan · · Score: 4, Insightful

    the cure to a problem is not hiding it.

  6. Do what now? by Rob+T+Firefly · · Score: 5, Funny

    TFA: Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers

    So this article updates us to the fact that they plan to update us with an article prior to the update?

    --
    Slashdot Burying Stories About Slashdot Media Owned
  7. because by dotpavan · · Score: 4, Insightful
    .. MS will eventually make a patch for it..

    its the time period that sometimes makes it more panicky.

  8. Could be worst... by __aaclcg7560 · · Score: 4, Funny

    It could've been a very cynical hole in IE concerning when Windows Vista will finally be released.

  9. How does this fare with previous statements? by OneSeventeen · · Score: 3, Insightful

    With security being #1 in IE7, and numerous IE7 articles published by both microsoft and non-microsoft advocates praising the security and reliability of the new MS Browser, can we conclude that even with their upcoming browser media hype is still the best feature?

    Personally, I understand if people don't want to use Firefox, it isn't the best browser either, no browser is the best across the board. I don't, however, understand why people want to continue to use Internet Explorer. It has been proven time and time again to be buggy, and patches take weeks longer than in most other browsers.

    Not being a hardcore developer myself, I don't know what causes this, but might this have been avoided if Microsoft adhered to the Javascript standards rather than "tweaking it" for IE?

    --
    "Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
    1. Re:How does this fare with previous statements? by CagedBear · · Score: 4, Insightful

      Development problems aren't caused by hardcore developers. They are caused by hardcore management.

    2. Re:How does this fare with previous statements? by MindStalker · · Score: 4, Insightful

      Well it is a beta IE7 after all. Either way Vista will have IE seperated from the OS. The version of IE7 for XP will still be incorperated with the OS. So realistically IE7 for XP and IE7 for Vista will be very different browsers as far as security goes, and one can not assume a security hole for XP with exist (or matter) in the Vista version.

  10. Proof of concept by Anonymous Coward · · Score: 5, Funny
  11. Not possible. by babbling · · Score: 4, Informative

    Can't... it's required for Windows Update! If you don't update, you're screwed!

    Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist?

    1. Re:Not possible. by bedroll · · Score: 5, Informative
      Disable ActiveX in the Internet Zone and add *.windowsupdate.com and *.microsoft.com to your trusted sites.

      ActiveX really should only run from trusted sites anyway.

  12. got it backwards by gurutc · · Score: 3, Funny

    IE is the hole, into which are placed 'features' such as this exploit, tied to the feature called 'activex.' Remove these 'features' and all that is left is the nothingness that is a hole.

    --
    Moderation in All Things... Especially Moderation - gurutc
  13. Use it for good not evil by slashbob22 · · Score: 3, Funny

    createText("install firefox.exe");
    createTextRange(-1);

    And just let the exploit install firefox. It's just that easy.

    --
    Proof by very large bribes. QED.
  14. mirror by eclectro · · Score: 4, Funny

    here.

    IE user, your house is on fire. Run for the hills! Go! Go!

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  15. Re:Dupe! by WillAffleckUW · · Score: 3, Informative

    No, according to InfoWorld, there are two bugs, so it's not a dupe, it's a second bug.

    But, good catch!

    --
    -- Tigger warning: This post may contain tiggers! --
  16. I am... by PFI_Optix · · Score: 3, Funny

    ...Jack's complete lack of surprise.

    --
    120 characters for a sig? That's bloody useless.
  17. Re:It's funny by mizhi · · Score: 4, Insightful
    That in the very previous /. story about a Sun product vulnerability, the hackers get ripped, but when it's Microsoft, the software company gets ripped.

    Here's the difference: In Sun's case, the hackers didn't alert Sun to the vulnerability. They just DOS'd a free service that Sun provided the world, causing headaches for people attempting to use the service. Their actions accomplished absolutely nothing (the grid was not affected), and resulted in Sun pulling a previously free product behind a security wall for which people are required to subscribe. Good going!

    In this case, a researcher discovered a flaw in the browser, and instead of being an a$%hat by writing yet another worm or malicious program, alerted Microsoft to the bug. Which is now in the process of being patched.

    --
    Humorless sig goes here.
  18. Slashthink. by Captain+Scurvy · · Score: 3, Informative

    So collectivist nerds can sit and giggle self-contentedly to themselves when MS looks bad.

  19. DDOS is a vulnerability? by SanityInAnarchy · · Score: 4, Insightful

    I wish I had mod points, because you'd be -10 moron.

    If DDOS is a vulnerability, it's one that all systems share, and thus, we'd have to be extremely jaded and cynical for blaming Sun for getting hit with one.

    It doesn't help that the existance of vulnerabilities in Microsoft's products is probably the reason it was so easy to attack Sun.

    --
    Don't thank God, thank a doctor!
  20. IE 7 in Vista would have been safe by ThinkFr33ly · · Score: 4, Insightful

    IE 7, when run on Windows Vista, would not have fallen victim to this or any other exploit of this nature. The reason for this is the fact that IE 7 on Vista runs as a user with virtually no privileges, regardless of privileges of the user using IE 7.

    Essentially all actions that require higher privileges, such as writing to non-temp locations on the file system, executing applications, installing plugins, changing settings, etc, will be done through the use of a broker.

    The broker is very small, perhaps only a few thousand lines of code. This makes auditing the broker far easier than auditing the hundreds of thousands of lines in IE 7.

    When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.

    If IE 7 has a buffer overflow or exploit of some kind and tries to do something nasty it will always fail because it is running as a user with basically no privileges on the system.

    There is a video that describes this in detail on Microsoft's Channel 9 web site.

    1. Re:IE 7 in Vista would have been safe by Tumbleweed · · Score: 3, Funny

      This just goes to show that if you give MS enough time, they'll eventually be able to reinvent UNIX-like security. That's a relief.

    2. Re:IE 7 in Vista would have been safe by Tim+C · · Score: 3, Insightful

      How so? It's not uncommon for "special" system processes to need to be started as root but to give up the extra privileges as quickly as possible, but I have never heard of an "ordinary" user process switching to an even less privileged user account.

      Besides which, the security model in NT-based systems is much richer than that in Linux-based systems. Unfortunately a few poor design/marketing decisions and a generation of sloppy coders too used to 9x-based systems has gone a long way to obviate that advantage, as far too many people simply run with administrative privileges.

      That said, the clueless will always be a danger to themselves, whatever system they run.

      --
      It's official. Most of you are morons.
  21. MS Claims Latest IE 7 Beta is not Susceptible by squidguy · · Score: 3, Informative

    The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog.

    Per the same blog, the 20 March release of IE7 Beta is not vulnerable.

    Caveat emptor... I haven't tested it.

  22. Safest browser ever available by Otis2222222 · · Score: 4, Funny

    Here. Guaranteed not to be exploited by any javascript or plugin vulnerability. Or by any site that uses frames.

    1. Re:Safest browser ever available by phantomfive · · Score: 4, Funny

      Lynx only seems safe because it has such a small marketshare. As soon as more people use it, hackers will target it more. You will see.

      --
      Qxe4
    2. Re:Safest browser ever available by Beryllium+Sphere(tm) · · Score: 4, Informative

      The only thing funnier than jokes about Lynx vulnerabilities is that there have been real ones. Remote shell access in Lynx, Lynx command injection, Lynx NNTP buffer overflow.

      Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.

  23. The 1st IE7 worm after the 'divorce' from windows by rubberbando · · Score: 4, Funny

    shall be named "alimony"!

    --
    DEAD DEAD DEAD DELETE ME
  24. The Good News for Windows Users by hahiss · · Score: 3, Funny

    The good news is that at least we know that IE 7 is backward compatible with IE 6 vulnerabilities.

    --
    "Every decent man is ashamed of the government he lives under." - H.L. Mencken
  25. Updates are necessary, Windows Update is not by InvisiBill · · Score: 3, Informative

    I can't remember the last time I used Windows Update. Automatic Updates does most of what I used WU for, even more easily. If I want other updates, Windiz Update is very similar, but works in non-IE browsers.