Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Site Attacks Against Unpatched IE Flaw Spike

Posted by ryuzaki0 on from the not-a-good-spike dept.

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

27 of 268 comments (clear)

  1. Lets say it together: by gerbalblaste · · Score: 5, Insightful

    Use Firefox

  2. Patch released! by spaztik · · Score: 5, Funny

    Download here:
    http://www.mozilla.com/firefox/

  3. Legislation Needed? by RunFatBoy.net · · Score: 5, Insightful

    I understand that there will be bugs. BIG gaping security holes will happen.

    I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

    If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

    Jim http://www.runfatboy.net/ -- Exercise for Web 2.0

    1. Re:Legislation Needed? by teshuvah · · Score: 5, Interesting

      I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

    2. Re:Legislation Needed? by sedyn · · Score: 3, Interesting

      I view software as a contract. In open source, if you view code and find problems then you should try to have the "contract" updated. If you do not find problems on a pre-emptive basis yet they exist then you are SOL. Think that is unfair to non-programmers? If I signed a large/vital contract without a lawyer's assistance and got screwed, would I get much sympathy, let alone any legal recourse (would I even get legal recourse if I had a lawyer)?

      This means that in closed source, the developers are the "lawyers" who proof-read the "contract". Though, agreeing to a secret contract may not be the best idea (not like I've read the Linux/BSD/* source), but that is another issue.

      This means that we have to trust the developer's judgement. In this case, we have to trust that the developers will fix it as soon as possible. If that is legislated then rushing may occur to meet deadlines, possibly leading to more bugs.

      I think we should hold companies responsible for errors, where a EULA cannot absolve them from the responsibility provide the services that they promised at the time of purchase, let alone any loss/theft of data. If managers had to factor in "cost of bugs" then I suspect developers would be given more time/resources to fix problems.

      --
      Am I open minded towards open source, or closed minded towards closed source?
  4. That why I stay with #2 or #3 by jellomizer · · Score: 4, Interesting

    My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Now that's a solution! by zubinjdalal · · Score: 4, Insightful

    FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

    Sure I could guess but which ones exactly would those be?

  6. "... said he's not sure which site he browsed..." by UberOogie · · Score: 5, Funny

    *cough*porn*cough*

    --
    "Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
  7. Ugh by ZombieRoboNinja · · Score: 5, Funny

    I know this is Slashdot, but can we at least have our grammar Nazis spell "grammatically" correctly?

  8. Re:linking=vouching for by delirium28 · · Score: 4, Informative
    From TFA:

    More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

    --
    Who is John Galt?
  9. In other news... by zolaris · · Score: 5, Insightful

    Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".

  10. Here we go again.... by beheaderaswp · · Score: 4, Informative

    Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

    Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.

    Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:

    http://news.bbc.co.uk/2/hi/technology/4849904.stm

    Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.

    I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.

    Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.

    --
    Another consultant who stuck it out.

    "We are the Priests, of the Temples of Syrinx..."
  11. Serious Question (not flaimbait) by MudButt · · Score: 3, Interesting

    What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

    If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...

  12. Re:Ugh by Valdrax · · Score: 4, Informative

    Normally, I let my sig do all the griping for me, but this is really bad. It look me three tries to understand what the title was saying. Try the following for maximum clarity:

    "Website Attacks Against Unpatched IE Flaw Spike"

    Actually, this would be even clearer if you put the verb before the prepositional phrase:
    "Website Attacks Spike Against Unpatched IE Flaw"

    It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.

    (I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  13. Will IE in Vista be in managed code? by WoTG · · Score: 3, Interesting

    Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).

  14. Re:Ugh by dotpavan · · Score: 4, Funny

    spelling Nazi criticizing grammar nazi :)

  15. Re:nope by UberOogie · · Score: 4, Funny

    You and your facts and your articles, bah. It's funnier my way.

    --
    "Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
  16. Was the City of Tuttle, Oklahoma... by sharkey · · Score: 5, Funny

    one of the sites that has been "hacked" to exploit this flaw?

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  17. Keep an eye on this one.. by Dynamoo · · Score: 5, Informative
    If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

    This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

    Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

    --
    Never email donotemail@WeAreSpammers.com
  18. Re:This is becomming not funny by kpainter · · Score: 3, Funny

    "They have to do MASSIVE regression testing." Ahhh, that explains it. It must be working because IE regresses with each and every day.

  19. easy fix in XP by TheRealBurKaZoiD · · Score: 3, Interesting

    Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.

  20. Re:Ugh by Anonymous Coward · · Score: 5, Funny

    That's why they lost WW2.

  21. What webserver software is getting commandeered? by wernst · · Score: 4, Insightful

    So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.

    So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

    I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...

  22. Re:"... said he's not sure which site he browsed.. by hal9000(jr) · · Score: 4, Insightful

    I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

    Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.

    Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.

  23. Re:*sigh* by BeerCat · · Score: 4, Informative

    Microsoft's Calculator is actually 2 distinct calculators (at least the XP one is)- the order of calculation varies depending on whether you have "Basic" or "Advanced" view:

    4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.

    (FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)

    --
    "She's furniture with a pulse"
  24. Re:*sigh* by user24 · · Score: 3, Interesting

    oh my god. that is just....
    wow.
    you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
    I still can't believe this.

    "Hello, Microsoft Support"
    "yeah, I've got a problem with the calculator"
    "ok"
    "yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
    "oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."

  25. And the bottom line is ... by RockDoctor · · Score: 3, Funny

    FTFA : Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.

    BEATS HEAD SLOWLY AGAINST BRICK WALL.
    THIS IS UNSATISFACTORY.
    GOES OUT AND FINDS granite WALL.
    BEATS HEAD AGAINST IT.
    MUCH BETTER!

    --
    Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"