Slashdot Mirror
Web Site Attacks Against Unpatched IE Flaw Spike
An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."
Use Firefox
Download here:
http://www.mozilla.com/firefox/
I understand that there will be bugs. BIG gaping security holes will happen.
I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?
If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?
Jim http://www.runfatboy.net/ -- Exercise for Web 2.0
My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Whats wrong with it? I've noticed attacks against the Flaw Spike too.
FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...
Sure I could guess but which ones exactly would those be?
*cough*porn*cough*
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?
More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.
Who is John Galt?
Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".
Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.
Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.
Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:
http://news.bbc.co.uk/2/hi/technology/4849904.stm
Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.
I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.
Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?
If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...
Normally, I let my sig do all the griping for me, but this is really bad. It look me three tries to understand what the title was saying. Try the following for maximum clarity:
"Website Attacks Against Unpatched IE Flaw Spike"
Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"
It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.
(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).
spelling Nazi criticizing grammar nazi :)
You and your facts and your articles, bah. It's funnier my way.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
one of the sites that has been "hacked" to exploit this flaw?
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.
Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.
Never email donotemail@WeAreSpammers.com
I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.
But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues to leave the \windows \windows\system, windows\system32, and the system registry wide open to any executable/script hacker who wants in.
My friends logon to the net and start clicking around, etc, and whala! you are full of virii and malware so thick it baffles most techs nowdays.
You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.
In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and other *nix will be the target. Statisically and historically, I seriously doubt that MS can do it, but they appear to be doing the right thing.
I prefer the "u" in honour as it seems to be missing these days.
That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?
They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?
Just another reason not to go with Vista. Another Mac convert on the way.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
"They have to do MASSIVE regression testing." Ahhh, that explains it. It must be working because IE regresses with each and every day.
Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.
Comment removed based on user account deletion
That's why they lost WW2.
So why don't they program firefox to render pages the same way IE does it?
I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.
As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase 90% of the people are doing it...
By no means am I saying firefox is perfect, but....damn dude.
:wq
So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...
I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.
Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.
Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.
I doubt he talked to his boss before blabbing that one.
I'm not saying that having IE written in full managed code isn't a good idea but it won't help with security. A good chunk of the problems come from the ambiguous uses of various technology in IE (Active X, jscript, etc). Many of these are functioning exactly as designed but still having undesirable side effects such as completely unsecured. These are problems that would exist reguardless of the language binding used to build IE upon because logical problems are still logical problems reguardless if they are in C or Perl or C#. Rewriting a poorly designed, insecure system in C# does not automatically create a secured system (although it might make it more obscured).
.Net Framework itself has yet another security tool that needs to be configured and can subsequently misconfigured. It is another "confusing to the nominal user" setting that most laymen are likely to ignore than pay attention too.
Besides, the
Sorry to break it to you, but Mac OSX makes you pay for updates too. You have to pay for every update -- 10.1, 10.2, 10.3, etc. Each of them costs money. So if you bought OSX or OS 10.1 and you want to update to the latest version of Safari or Firefox -- guess what, you have to shell out some cash because Firefox requires Mac OS X 10.2.x and the secure version of Safari requires 10.3 I think.
Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a for-profit company such as Apple will be the cure to all your M$ woes.
Anyone else finds something funny in this sentence?
"...hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors)."
I see two things...
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I think it's any webservers whose webmasters use IE. Lemme explain:
1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues
Latewire
I guess I dont understand IT Pro's who arent fanatical about IT and therefore are at least aware of issues like this one - although I admit that I have failed to patch windows boxes when needed to ensure that my dev or production environments stayed stable.
I figure that if you dont patch though you dont get to whine. - Before I get flamed on that point obviously you can only patch when you have a patch available - and if you dont patch you have got to use other forms of protection.
(turning you PC off and leaving it off works well but hurts productivity - or at least should hurt productivity!)
Microsoft's Calculator is actually 2 distinct calculators (at least the XP one is)- the order of calculation varies depending on whether you have "Basic" or "Advanced" view:
4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.
(FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)
"She's furniture with a pulse"
Godwin explodes. Details at 11.
~W
sig?
oh my god. that is just....
wow.
you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
I still can't believe this.
"Hello, Microsoft Support"
"yeah, I've got a problem with the calculator"
"ok"
"yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
"oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."
FTFA : Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.
BEATS HEAD SLOWLY AGAINST BRICK WALL.
THIS IS UNSATISFACTORY.
GOES OUT AND FINDS granite WALL.
BEATS HEAD AGAINST IT.
MUCH BETTER!
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"