Slashdot Mirror
Zero-Day IE Exploit In the Wild
Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
← Back to Stories (view on slashdot.org)
This thing is so hyped up, my IE has never NO CARRIER
Dupe!!!
There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).
The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
It can also be mitigated by using firefox.
The theory of relativity doesn't work right in Arkansas.
You shouldn't blame the language. Blame their implementation of that language.
Do you like German cars?
Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.
It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.
The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.
Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.
If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.
Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Lynx? The absolutely safest method is this:
$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org
User-agent: none
It even makes it easier to read the Futurama quotes in the headers!
You confuse Java and Javascript. Javascript comes from Netscape, not Sun, and it's certainly open source for the Netscape implementation (GPL even!). So "whatchu talkin' 'bout Willis?"
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
Zero-Day Slashdot
Posted by Chacham on 10:45 PM -- Monday September 18 2006
from the zero-day-is-overused dept.
[ Slashdot ] [ Teenagers ] [ Slow News Day ]
Chacham writes to tell us that an old zero-day Slashdot exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story link, which is apparently easy available in the side bar."
No patch has been released. Story posters are standing by.
Have you read my journal today?
Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well.
IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Of course not! Exploits don't exist until somebody announces them publicly!
http://outcampaign.org/
Javascript has no virtual machine. It is not Java. The two languages are unrelated.
It seems like we're getting to a point where probably the only safe way to be surfing is by using a browser on a sandboxed virtual machine environment.
I'm not trying to point my finger only at Internet Explorer, but with security holes that can allow code execution, that's pretty scary. (And another case of buffer overrun? Maybe they ought to rewrite IE as managed code, but that's another topic all together.)
Internet Explorer users should know by now not to surf with Javascript enabled. Disable it and add trusted sites to the "Trusted sites" list.
Your Windows Genuine Advantage will protect you!
Half his posts contain simple spelling errors a spellchecker could find, and the other half are dupes.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
I thought "zero-day" meant you have something effective before release
In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.
Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.
Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?
One acronym: AJAX.
Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.
Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).
I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.
Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.
I love lynx and all, but there are people who need too see pr0n, right? The more pop-ups that lead to more pr0n sites, the better! Think of the children!
. o O ( TwO hEaDs ArE mOrE tHaN oNe... )
I've been running Firefox for four months with "Noscript" installed. Javascript itself is being abused far too much to bypass popup blockers and generally screw around with a browser in a way that shouldn't be allowed. If I want a website to mess with me, I have to whitelist it first. It's annoying, especially around ecommerce sites, but I have peace of mind.
ECMAscript 262 comes from JavaScript.
There, fixed that for you.
Cheers,
-S
from your link (which is what I had in my mind):
"Netscape submitted the JavaScript specification to Ecma International for standardization; the work on the specification, ECMA-262, began in November 1996. The first edition of ECMA-262 was adopted by the ECMA General Assembly of June 1997."
It's Zonk's way to correct his spelling mistakes, you see. First he posts, then he dupes, but the second time the spelling mistakes are gone.
Religion is what happens when nature strikes and groupthink goes wrong.
No No No. Using Firefox solves the problem to right? Stop telling people to switch off Javascript just because IE can't solve its security issues as quick as hackers can find/create them. Why? Because I and probably thousands like me, rely on Javascript to access the web.
I use Talklets to help with my reading difficulties, when out and about. Switching off Javascript on public machines will realy cause me issues! So don't. Switch to Firefox. Thanx
Now the web can talk. No really. It can.
...but, isn't that the "J" in AJAX, the underpinnings of Web 2.0?
Why do people even bother to give advice that is basically impossible to follow?
It's not my fault that so many of the websites I want to use now rely on Javascript, but the fact is they do.
Saying "This exploit can be mitigated by turning off Javascripting" is true, but as about as useful as saying "the risks of plane crashes can be mitigated by not flying."
"How to Do Nothing," kids activities, back in print!
Because whether you like it or not, in some places the corporate standard is Internet Explorer, and people might not have the ability to install an alternative browser.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
. . . and you can avoid >99% of car accidents by not turning on the engine, but then the car isn't very useful, is it.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50