Slashdot Mirror
Web Site Attacks Against Unpatched IE Flaw Spike
An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."
Use Firefox
I know this is Slashdot, but can we at least have a gramatically correct headline?
Download here:
http://www.mozilla.com/firefox/
I understand that there will be bugs. BIG gaping security holes will happen.
I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?
If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?
Jim http://www.runfatboy.net/ -- Exercise for Web 2.0
Google?
The World Wide Web is dying. Soon, we shall have only the Internet.
My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...
Sure I could guess but which ones exactly would those be?
*cough*porn*cough*
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?
Hmm.. I use firefox.
I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.
I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.
When will they learn?
meh
More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.
Who is John Galt?
What is happening to slashdot? This is sooooo OLD!!!
So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?
Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".
Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.
Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.
Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:
http://news.bbc.co.uk/2/hi/technology/4849904.stm
Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.
I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.
Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?
If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...
Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).
How? How can Microsoft make the changes quick enough? They have to do MASSIVE regression testing. That takes time.
So how do these sites get hits? Are they Good sites that have just been compromised?
The most common scenario right now is a server is hacked, then e-mails and IMs are sent out with links to it. I don't know of any really popular sites that have been hacked to include this.
So he really should know better then?
In a better analogy, we would declare war on Novell.
There are no trails. There are no trees out here.
one of the sites that has been "hacked" to exploit this flaw?
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.
Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.
Never email donotemail@WeAreSpammers.com
I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.
But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues to leave the \windows \windows\system, windows\system32, and the system registry wide open to any executable/script hacker who wants in.
My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.
Comment removed based on user account deletion
You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.
In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and other *nix will be the target. Statisically and historically, I seriously doubt that MS can do it, but they appear to be doing the right thing.
I prefer the "u" in honour as it seems to be missing these days.
That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?
They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?
Just another reason not to go with Vista. Another Mac convert on the way.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
You can always tell what a site is from the URL ya' know! Also... the article mentioned that this was a home computer that was infected. This of course means that along with just business, the computer is used for other things - if not even by other users (wife, kids, etc.). Google... yeah thats a big one. When people use search engines, they many times blindly except whatever link it is to be safe (hehe... I'm guilty). E-mail! A-hah! Someone or something that you trust gets infected, and sends you something automatically... and well, the rest is history. IE? Bah!
...
More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked
<slashbot>Lemme guess what those sites were running...
*chortle*
*snort*
*chortle*
</slashbot>
$30 Off All Plans: Use code TRIPLESAWBUCK
"They have to do MASSIVE regression testing." Ahhh, that explains it. It must be working because IE regresses with each and every day.
What kind of wishful thinking persuades someone that IE is suitable for browsing any website except the ones you have written personally?
Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.
Comment removed based on user account deletion
For crying out loud, that's probably like 99% of MSIE's vulnerability. I know it's one of Microsoft's "gems" and one of its primary tools to keep the competition locked out the areas they currently control, but it's seemingly forever the access point to evil-doers' access to peoples computers. Disabling ActiveX is almost always if not entirely the answer to the problem in the short term.
I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda like smoking or other addictions that are generally risky and unhealthy -- it's painful to stop but pretty damned necessary.
Cat got your tongue? (something important seems to be missing from your comment ... like the body or the subject!)
Best Slashdot Co
I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?
Next! On Slashdot!
Grammar Nazi vs. Spelling Nazi deathmatch!
Sponsored by Uwe Boll films, ltd.
So he really should know better then?
From that one line I deduce that you've never worked at Oracle. There are still some talented people there, but much of the top talent has long since jumped ship.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Use FireFox, Use FireFox, Use FireFox, Use FireFox...
I know I'm preaching to the choir, but maybe we need another round of "Spread the word". I keep the "Open in IE" function available for emergencies (like a root login), but by default I use a browser that is not so heavily integrated into the OS, is lighter weight and is peer reviewed.
Why aren't we ALL insisting on these features wherever possible???
Imagine this scenario:
User installs $program. $program comes with $adware because someone's gotta pay, since the user doesn't really like paying for his software. Yes, he could switch to free... let's drop that idea. Requires brains.
$adware sells space on their servers (or they sell linking to pages containing ads). $adware displays $infected_site.
I can't prove it yet, so I won't post which company I consider responsible. But it's strange, every single computer I get into my hands that contains a trojan that used a browser flaw to get onto the machine also contained a certain piece of adware.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You mean, er, Editors can Edit stories? OMG!!
Godwin already!
So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...
I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.
Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.
Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.
why does the IE flaw hit slashdot and all the papers again... yet the many firefox ones that have also been in firefox for a while, never see anywhere.
portfolio
Why can't somebody with large ammounts of cash, when they get their computers trashed by microsofts obviously crappy products, just sue the crap out of that company and set a precident so that every one can do the same?
Easy. Because of the EULA.
"I'm not a procrastinator, I'm temporally challenged"
Telnet eh? You lucky bastard. Some of us are still manually completing and checking TCP packets with a 15 second timeout limit. And we like it!
May the Maths Be with you!
Many times, anonymous posters post links to bad sites on message boards, blogs, discussion threads (e.g. slashdot) in the guise of links to something relevant to the topic being discussed.
-- "I never gave these stories much credence." - HAL 9000
Snow use blaming it on the weather. The rain of the editors will continue to be hail and hearty.
Intron: the portion of DNA which expresses nothing useful.
Many corporate users depend on windows-only tools that *REQUIRE* ActiveX to do their daily job. Until those tools change or no longer require ActiveX, it's an unreasonable solution to suggest disabling ActiveX for many corporate users.
don't you wish you'd used ubuntu?
I'm not saying that having IE written in full managed code isn't a good idea but it won't help with security. A good chunk of the problems come from the ambiguous uses of various technology in IE (Active X, jscript, etc). Many of these are functioning exactly as designed but still having undesirable side effects such as completely unsecured. These are problems that would exist reguardless of the language binding used to build IE upon because logical problems are still logical problems reguardless if they are in C or Perl or C#. Rewriting a poorly designed, insecure system in C# does not automatically create a secured system (although it might make it more obscured).
.Net Framework itself has yet another security tool that needs to be configured and can subsequently misconfigured. It is another "confusing to the nominal user" setting that most laymen are likely to ignore than pay attention too.
Besides, the
Sorry to break it to you, but Mac OSX makes you pay for updates too. You have to pay for every update -- 10.1, 10.2, 10.3, etc. Each of them costs money. So if you bought OSX or OS 10.1 and you want to update to the latest version of Safari or Firefox -- guess what, you have to shell out some cash because Firefox requires Mac OS X 10.2.x and the secure version of Safari requires 10.3 I think.
Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a for-profit company such as Apple will be the cure to all your M$ woes.
Anyone else finds something funny in this sentence?
"...hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors)."
I see two things...
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I think it's any webservers whose webmasters use IE. Lemme explain:
1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues
Latewire
It's time for tech reporters to start prepending "Beleaguered" to everything they write about Microsoft, similar to what they used to write Apple. i.e. "Beleaguered software company, Microsoft, today announced it will delay Vista" or "Beleaguered software company, Microsoft, will pushed back the launch of Office to coincide with Windows" or "Beleaguered software company, Microsoft, announced $8 billion quarterly profits"
I have no objection - and firmly believe the Government should - mandate that ALL software used in any Government institution - regardless of where or how - should be reasonably secure against any intrusion or misuse, should have a minimum of a 99.9% uptime under heavy but situationally-plausible stress, and should be considered clean of defects when tested against industry-standard closed- and open-source security scanners.
(You don't need massive reliability and security when playing minesweeper, but you do if your computer is controlling a warship or contains highly classified data.)
Many people like to say that it would be too expensive (or even impossible) to make software defect-free. Perhaps that is true, for totally off-the-shelf, totally generic systems. I think it's nowhere near as expensive or difficult as people imagine (although it certainly isn't cheap or easy), so think it's possible to have limited lemon laws. Where such requirements go beyond desires and become actual needs - particularly where the failure to meet those needs could have major consequences - I certainly believe that it is important to sacrifice unwanted functionality to the point where what is left CAN be secured to a high standard.
(I also believe that good programming methods can eliminate most problems, so that quality design can become the cheapest, most practical option for these sorts of cases.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
BIG gaping security holes will happen.
Oh, I'm sorry, I thought you started talking about Goatse for a minute there.
Carry on.
but it seems that a lot of problems with IE are really a result of users who don't take the time to secure it in the options
I'm late to the party, but this is just ridiculous. This isn't the user's fault whatsoever, and basic, supposed-to-be-sandboxed scripting is essential for the browser to be marginally useful.
Many "modern" trojans already support both, IE and FF.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The real "Libtards" are the Libertarians!
Actually this is no different than real life.
It's like a restraunt that you've never been to, how do you know that you will not die of food poisoning?
Luckly for us, restraunts are randomly inspected by health services and get a score around here.
Maybe its time for random website inspections to see what kind of crapware/spyware/scripts are on them, sounds like a good place for a firefox plugin.
I wish there was someone writing a virus exploiting this hole to patch the users with firefox, opera or alike.
It's interesting that their beta product is (allegedly) more secure than a product that has been in production half a decade.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
And what about their own anti-virus product that you can buy to protect you from virus and trojans and spywares?
All these malware that wouldn't even exist if they did their homework correctly, and they charge you for a tool to fix what wasn't supposed to happen in first place.
*SIGH*
find -name "*base*" -exec chown us {} \; ; ln -s
Don't forget about "another crippling bombshell has hit the..."
See subject line.
blah blah blah
Software restriction policies are a nifty tool, and it's a shame more people (or at least offices) don't use them.
:)
Blocking just temporary internet files is obviously not fool proof (the exploit code itself could download files to another location besides the temporary internet files folder) but it does seem likely to break any malware that's written to have the browser do the work of caching scripts from the website ahead of time. (Does IE work that way? Cache scripts fully, even if they contain code that isn't allowed to execute in the zone the script is from?)
Then again, merely running in a limited user account breaks most malware.
One thing to watch out for is runtime engines that are unaware of group policy. For example, if you have a Java runtime environment installed, and you add JAR to the list of restricted file types, then trying to start malware.jar through the shell will fail with the standard software restriction policy message--but executing "java -jar malware.jar" will still work (unless you have a special custom Java runtime that's smart enough to check group policy
This is as opposed to, for example, VB script, because the VB script engine itself is aware of software restriction policies, so "wscript malware.vbs" doesn't work.
Comment removed based on user account deletion
Check the users/bugs ratio between IIS and Apache.
I don't get it.
It should be not secure enough that you jump for their next uber secure OS, but not so much that you run to another OS
Many of the attacks seem to be coming from reputable but poorly secured web sites which have been taken over by attackers.
Something else that's come up in the past is some blackhat compromising an ad server and making it serve poison, thus instantly turning thousands of web sites into malware distributors simply because they were running ads from the 0wned ad server.
Even in Firefox you may want to minimize your exposure to Javascript. I have become a dedicated fan of the Noscript extension, which allows temporary or permanent whitelisting without groveling through configuration dialogs.
Absolutely right about the need for sandboxing.
Hello all:
Think about how many key-loggers and zombies are in-the-wild running silently in computer own by every-day users?
As always, MS receives much flaks for writing vulnerable software. Truth-be-told, the reason why there are so many vulnerabilities in IE is because there are many people who actively look for security flaws in IE, since it is the most popular system. I don't think using Firefox or escaping to Linux are a permanent solutions. Think of people who write attacks as "testers". At the very least, these "testers" found many flaws in MS products. With less "testers" working, who knows how many Firefox and Linux vulnerabilities there are?
Patching is important. However, it is just unrealistic to expect softwares as large as Windows and IE to be patched in a timely manner. Rather than putting the focus on more secured software, we need to make the system more transparent. A system that expose hidden processes, hidden files, and hidden system configurations would allow a user to detect whether his/her system has been compromised (granted, this does not address such attacks as phishing). Also, we need to have some user-friendly features (even comments and descriptions would be nice) to help the user make sense of all these process/file/config information. This way, the user can actually decide whether a system is running in a non-secure state or not.
Many would argue that making the system more transparent makes the system less userable. I agree. However, I think (and I think we all agree) that users, even non-technical ones, can adopt faster than MS put out a security patch...
Cheers.
B. Pascal.
Comment removed based on user account deletion
There are die-hard people who just insist that the only browser they use is internet exploder. For those people, go out, find this virus, get your computer infected, let the bad people steal your banking information and your identity. Then when you've had just about enough, go to the mirror, stare into it with intensity, suck in a big deep breath of air, clench your fists, lower your eyebrows and shout at the image in the mirror "DUMBASS!" Then, go out and get another browser (one that doesn't suck or turn your computer into a botnet slave). You could switch before you get the infection (and all that), but if you haven't switched before now, then its best if the therapy is more harsh.
You meant http://distrowatch.com/.
I wonder what percentage of people using IE at any given time actually clicked through an EULA on that particular PC.
After scanning your comment, I had to change a fuse on my bullshit detector.
Last time this kind of thing happened, my detector was left open for an entire episode of O'Reilly on Fox News.
lucm, indeed.
FTFA : Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.
BEATS HEAD SLOWLY AGAINST BRICK WALL.
THIS IS UNSATISFACTORY.
GOES OUT AND FINDS granite WALL.
BEATS HEAD AGAINST IT.
MUCH BETTER!
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Or alternatively, any website which uses ass pee.