Slashdot Mirror
Zero-Day IE Exploit In the Wild
Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
← Back to Stories (view on slashdot.org)
Dupe!!!
There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).
The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."
It can also be mitigated by using firefox.
The theory of relativity doesn't work right in Arkansas.
Why do people still use IE? It's been shown time and time and time and time and time again that it's just not a suitable browser to expose to the dangers of the Internet. And it's not like people don't have alternatives; they do! Opera is free and available on most platforms. Firefox is free and available on most platforms. Seamonkey is free and available on most platforms.
It's rare these days to find a public site that depends only on IE. Most banking sites, which were really the only holdovers, have realized that Firefox support is necessary.
The only reason I can think of is ignorance. But even then, most people likely know somebody who could help them install Firefox or Opera for the first time. Maybe each one of us should pledge to tell one other person who isn't aware of the alternatives about them. Make a pact with that person: if they are pleased with their new browser, or it keeps their Windows system free of malware, have them tell one new person about Firefox or Opera.
Very rapidly, many people will be able to find out about the alternatives, and it'll benefit us all. Us geeks won't have to help relatives and friends with their malware-infested systems. Those users won't have to ask us to help them, or in the worst case, call the Geek Squad or otherwise bring theirs systems in for expensive and inconvenient "decontaminations" (often performed by fools). Plus the private data of those users is far more safe. In short, we all benefit.
If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.
Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Lynx? The absolutely safest method is this:
$ telnet slashdot.org 80
Trying 66.35.250.150...
Connected to slashdot.org.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org
User-agent: none
It even makes it easier to read the Futurama quotes in the headers!
You confuse Java and Javascript. Javascript comes from Netscape, not Sun, and it's certainly open source for the Netscape implementation (GPL even!). So "whatchu talkin' 'bout Willis?"
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
Zero-Day Slashdot
Posted by Chacham on 10:45 PM -- Monday September 18 2006
from the zero-day-is-overused dept.
[ Slashdot ] [ Teenagers ] [ Slow News Day ]
Chacham writes to tell us that an old zero-day Slashdot exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story link, which is apparently easy available in the side bar."
No patch has been released. Story posters are standing by.
Have you read my journal today?
Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well.
IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Of course not! Exploits don't exist until somebody announces them publicly!
http://outcampaign.org/
Javascript has no virtual machine. It is not Java. The two languages are unrelated.
It seems like we're getting to a point where probably the only safe way to be surfing is by using a browser on a sandboxed virtual machine environment.
I'm not trying to point my finger only at Internet Explorer, but with security holes that can allow code execution, that's pretty scary. (And another case of buffer overrun? Maybe they ought to rewrite IE as managed code, but that's another topic all together.)
Your Windows Genuine Advantage will protect you!
I thought "zero-day" meant you have something effective before release
In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.
Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.
Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?
One acronym: AJAX.
Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.
Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).
I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.
Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.
You do realise that would result in *less* security? The 'Trusted Sites' zone has far less security restrictions that the 'Internet' zone.
What you propose would require people to add the likes of Slashdot and Hotmail to the 'Trusted Sites' zone to function correctly. This effectively gives such sites far more access than you would probably like, much more than without playing with your 'zones' at all.
thats a daft proposal.
I.O.U One Sig.
Hotmail yes, because I believe Javascript is needed to click on some of the links, like for the folders.
Slashdot, no. Slashdot works fine without Javascript.
You don't have to pour a bunch of sites into the Trusted sites category. Only the ones that you are positive are safe and constantly use that REQUIRE javascript.
I've been running Firefox for four months with "Noscript" installed. Javascript itself is being abused far too much to bypass popup blockers and generally screw around with a browser in a way that shouldn't be allowed. If I want a website to mess with me, I have to whitelist it first. It's annoying, especially around ecommerce sites, but I have peace of mind.
Because whether you like it or not, in some places the corporate standard is Internet Explorer, and people might not have the ability to install an alternative browser.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn