Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Site Attacks Against Unpatched IE Flaw Spike

Posted by ryuzaki0 on from the not-a-good-spike dept.

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

6 of 268 comments (clear)

  1. Lets say it together: by gerbalblaste · · Score: 5, Insightful

    Use Firefox

  2. Legislation Needed? by RunFatBoy.net · · Score: 5, Insightful

    I understand that there will be bugs. BIG gaping security holes will happen.

    I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

    If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

    Jim http://www.runfatboy.net/ -- Exercise for Web 2.0

  3. Now that's a solution! by zubinjdalal · · Score: 4, Insightful

    FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

    Sure I could guess but which ones exactly would those be?

  4. In other news... by zolaris · · Score: 5, Insightful

    Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

  5. What webserver software is getting commandeered? by wernst · · Score: 4, Insightful

    So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.

    So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

    I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...

  6. Re:"... said he's not sure which site he browsed.. by hal9000(jr) · · Score: 4, Insightful

    I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

    Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.

    Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.