Web Site Attacks Against Unpatched IE Flaw Spike

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

Lets say it together:

[gerbalblaste]

Use Firefox

Re:Lets say it together:

[mOOzilla]

This is not enough, when you use other applications for example Yahoo Messenger or MSN Messenger (just examples, there are others) that take a dependancy on the COM components that IE also uses you are vulnerable too. This is why it is just as important to have the IE patches even if YOU do NOT run IE! Other applications that have taken dependancies on it WILL still need to be patched.

Porn sites

[teshuvah]

That's what you get for looking at porn when you're supposed to be working!

Legislation Needed?

[RunFatBoy.net]

I understand that there will be bugs. BIG gaping security holes will happen.

I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

Jim http://www.runfatboy.net/ -- Exercise for Web 2.0

Re:Legislation Needed?

[jmorris42]

> If there are over 160 million+ computers in the US alone, and 90% of those PC's use
> Internet Explorer, how can the US Gov. not justify action in insisting these issues
> be resolved promptly?

No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploits per year than sendmail's worst year and any IT organization using Windows in general and IE/Outlook especially should be mass terminated for cause, said cause being their choice between gross incompetence and willful disregard for national security.

From a security perspective ANYTHING would be an improvement over deploying Windows/IE/Outlook, OS/2 + Mozilla, Old PowerMacs running OS 9, anything. So any site where security is important, such as the US Military, Department of Homeland Security, etc. deploying the standard Win crap has only itself to blame. Yes saving money by buying COTS is a good thing, but only when it doesn't compromise national security, and if anyone can make an argument that buying Windows isn't risking national security I'd really like to hear em make the pitch.

Re:Legislation Needed?

[hughk]

In an orgnisation, I can understand the need for 'approved' applications. However, one of the more enlightened banks that I worked at had Opera and Firefox available, officially to support alternate browsers for customer access. Unofficially many IT staff installed alternative browsers and it meant that there was no monoculture thus reducing the banks vulnerability.

Re:linking=vouching for

[FooAtWFU]

Google?

Now that's a solution!

[zubinjdalal]

FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

Sure I could guess but which ones exactly would those be?

OLD! Look at the date of this info

What is happening to slashdot? This is sooooo OLD!!!

In other news...

[zolaris]

Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

Windows is more secure.

[xmorg]

I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.

But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues to leave the \windows \windows\system, windows\system32, and the system registry wide open to any executable/script hacker who wants in.

My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.

IE7 beta2 is the solution? Not for 2K users

[smooth+wombat]

From the article:

Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the IE7 beta2 preview.

That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?

They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?

Just another reason not to go with Vista. Another Mac convert on the way.

Re:Serious Question (not flaimbait)

[99BottlesOfBeerInMyF]

What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it will ever have the level of problems IE does because of the design decisions and the development process. Heck, right now their are two completely different unpatched remote exploits to install and execute Foo via IE. The fact that a hole can be discovered, reported, the discoverer can get tired of waiting for MS, it can be publicly published, someone can make an exploit, and script kiddies can deploy it everywhere all before MS can get a patch out is intolerable. That more than one such hole can happen at a time is just sad.

Re:That why I stay with #2 or #3

My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

So your best security advice is to run IIS?

What webserver software is getting commandeered?

[wernst]

So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.

So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...

Re:"... said he's not sure which site he browsed..

[hal9000(jr)]

I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.

Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.

Re:What webserver software is getting commandeered

[slughead]

So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

I think it's any webservers whose webmasters use IE. Lemme explain:

1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues

Re:Enter Sherlock Holmes ...

[Ajehals]

Never worked at Oracle but ended up doing an eval of 10g, which whilst it wasnt what I needed, certainly wasnt poor.

I guess I dont understand IT Pro's who arent fanatical about IT and therefore are at least aware of issues like this one - although I admit that I have failed to patch windows boxes when needed to ensure that my dev or production environments stayed stable.

I figure that if you dont patch though you dont get to whine. - Before I get flamed on that point obviously you can only patch when you have a patch available - and if you dont patch you have got to use other forms of protection.

(turning you PC off and leaving it off works well but hurts productivity - or at least should hurt productivity!)