Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day IE Exploit In the Wild

Posted by ryuzaki0 on from the now-delivering-spyware-to-a-pc-near-you dept.

Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

17 of 239 comments (clear)

  1. Sorry, has to be done... by RManning · · Score: 5, Funny

    Dupe!!!

  2. No surprise by Cold_Lestat · · Score: 5, Insightful

    There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

  3. easier solution by User+956 · · Score: 5, Insightful

    The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

    It can also be mitigated by using firefox.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:easier solution by sporkme · · Score: 5, Informative

      Fasterfox makes firefox load pages more quickly through various methods.
      The Firefox Tweak Guide has many options for about:config and other tips for improving your specific experience.
      Firefox Preloader will make Firefox load more quickly by making Firefox do the same thing Internet Explorer does. Firefox will use system resources before being specifically called. The application will remain resident in memory like IE does, waiting for you to click the little fox. In this way, IE loads faster but slows overall system performance.
      How to use UPX to speed it up a little is what this article can tell you. Probably not the best way to go about it, but I have implemented this method on my HTPC.

      It is VERY important to realize that the few seconds you wait around for the initial loading of Firefox are quickly surpassed by the lag you experience while using Microsoft's Explorer. Firefox ignores many advertisements right off the showroom floor, but can be configured to show NEARLY NO ADS AT ALL. FlashBlock, AdBlock, and NoScript will make your browsing much faster and cleaner.

      Using Firefox, especially with these and other add-ons, will make your browsing incredibly secure. Explorer is left in the dust in comparison.

      So the trade-off you seem to have made is this: A few seconds at load time in exhange for a combined several minutes waiting for ads to be displayed, just so you can fall victim to the shiny! new! IE exploit that seems to get barfed all over Slashdot once a week. This while using an underdeveloped, overpriced, practically featureless browser that has no database of expansions. Unless you are using the Vista beta (7 beta) you aren't even using tabs! Do you choose to commut on a horse? HOW DID YOU EVER SURVIVE THE PERMIAN MASS EXTINCTION? BAH! Why did I bother?

      --
      FairTax baby!
    2. Re:easier solution by MightyYar · · Score: 4, Informative
      Yup... go here to install MinimizeToTray. MinimizeToTray enables the old "-turbo" option on the command line. Quit Firefox. Right click on the shortcut icon for Firefox that you use (mine is in the "Quick Launch" part of the taskbar). Click Properties. In the "Target" box you will see something like
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      Add the -turbo option so that it reads:
      "C:\Program Files\Mozilla Firefox\firefox.exe" -turbo

      The behavior now is a little confusing... the first time you click the shortcut, it will not open a window. Instead, it will make a Firefox icon appear in the tray. This confuses the holy fuck out of my wife (rightfully). However, subsequent clicks on the icon will give you instant Firefox. To make it cleaner, you can put a copy of the shortcut in your Startup folder. I don't do this because I hate startup programs :)

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:easier solution by causality · · Score: 5, Informative

      The reason why IE starts up so quickly is because the act of booting up Windows pre-loads IE in memory. When you click that blue 'E' icon (which points to an .exe file that is about 30k, as the rest is in DLLs which are already in memory), you're loading practically all of the program from memory, not the hard drive. This also means that whether you are using it or not, the amount of memory required for IE is always being consumed, even after you "close" it. Contrast this with clicking the Firefox icon, which has to read the executable off the hard drive and into memory prior to being able to run it. You didn't think the difference was due to IE being a leaner, more efficient program, did you?

      There is a utility which will allow you to also preload Firefox in memory on Windows. Of course, this does not give you the ability to unload IE from memory (decoupling IE from Windows, to any degree, is problematic at best).

      Of course, how much an extra 6-7 seconds of load time will impact you would depend on usage. Personally I often leave the same instance of Firefox running for days at a time and leave it minimized on a virtual desktop when it is not in use, but if I were really worried about this on a Linux box then I would use prelink.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  4. I *only* use IE to run Javascript and ActiveX by billstewart · · Score: 4, Interesting
    If I'm using IE, it's because I'm trying to access some site that uses ActiveX or uses Javascript in some IE-broken way, mainly doing tricks that the people who write the HR apps at work think are "useful", or one of the online web-based conferencing systems we or our customers use.

    If I *didn't* need to be doing something dangerous and stupid, I'd be using some version of Mozilla instead of IE. Sigh.


    Yes, I know IE has its security zone thingies that give me a way to restrict it, but it's still annoying.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  5. Re:The power of Open Source by dosius · · Score: 4, Informative

    You confuse Java and Javascript. Javascript comes from Netscape, not Sun, and it's certainly open source for the Netscape implementation (GPL even!). So "whatchu talkin' 'bout Willis?"

    -uso.

    --
    What you hear in the ear, preach from the rooftop Matthew 10.27b
  6. Moo by Chacham · · Score: 5, Funny

    Zero-Day Slashdot
    Posted by Chacham on 10:45 PM -- Monday September 18 2006
    from the zero-day-is-overused dept.
    [ Slashdot ] [ Teenagers ] [ Slow News Day ]
    Chacham writes to tell us that an old zero-day Slashdot exploit has been found again and again and again. It looks to be a bug in all browsers. This comment notes, "The bug is in the Submit Story link, which is apparently easy available in the side bar."

    No patch has been released. Story posters are standing by.

    --
    Have you read my journal today?
  7. No, you need to blame Javascript too. by billstewart · · Score: 5, Informative
    Java was designed with a heavy-duty security model, using sandboxes and virtual machines and such to make sure that you could safely download code from other sites and run it, and while it's probably possible for somebody to come up with some implementation bug that lets you outside the box in ways that are exploitable, it's basically been solid since it came out, because it was designed to be safe.


    Javascript was designed to be lightweight, friendly, and convenient, and almost anything related to security was later bandaids applied to the gaping wounds. It's possible and easy to write perfectly safe Javascript, but that's unfortunately totally irrelevant because it's possible to write Evil Javascript as well - so anybody who wants to run your "Safe" Javascript has to leave Javascript turned on for the Evil Javascripters as well.


    IE does theoretically have a "security zone" mechanism that lets you identify trusted sites, so you can theoretically allow it to run purportedly-safe Javascript from people you trust while not running it from people you don't trust, but that's an annoying hassle. It'd be much safer if they'd built "WimpyScript", designed to be absolutely safe even if all it lets you do is make stuff flash decoratively when you wave a mouse at it; I guess CSS is as close as we get to that. PDF used to be safe, back when all it would do would be display static black or colored marks on virtual paper, but now it's helpfully willing to open web pages and run programs on your PC too.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:No, you need to blame Javascript too. by homerjfong · · Score: 4, Insightful

      Don't be silly. The problem is implementation, not the language itself. The language was designed to do things like open windows, add popups, and manipulate strings. The reason there are security holes is that it was implemented as a fully-priveleged com service, as was IE (via shdowvw). Basically the problem is that Javascript in IE can do anything that IE can do, and that IE can do just about anything, including installing software and monkeying around with files. It's possible to implement IE and Javascript in sandboxes just like you describe java. That's why (for the most part) Firefox is ok. It's only when FFX uses some core windows libraries (like WMF) that it gets into trouble. Now: it should be said that this isn't. strictly speaking, Microsoft's fault. They built a very open. flexible system, which was subsequently exploited by a lot of people who want to do you harm. Nevertheless, in the modern internet environment, they should really lock down what they're doing.

    2. Re:No, you need to blame Javascript too. by masklinn · · Score: 4, Insightful

      ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.

      Uh, no, what "kicked Netscape's ass" is that

      • With IE on your box, you didn't have to download netscape in the first place
      • Netscape 4.7 was a slow ugly, buggy, crash-prone piece of shit
      • Websites looked better in IE.

      In a word, what killed netscape is that MSIE was, at the time, a much better browser than Navigator

      --
      "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
  8. No need to worry! by Anonymous Coward · · Score: 5, Funny

    Your Windows Genuine Advantage will protect you!

  9. Re:I thought ... by jschottm · · Score: 4, Informative

    I thought "zero-day" meant you have something effective before release

    In exploit terms, n-day means the number of days after a fix is released for the problem exploited by the attack. Most notable worms of the past have been n >= 1 (often much more) attacks - either someone deduces the flaw based on the patch release or the flaw was already known but only guardedly used in order to do high level target attacks while it was still unknown to the public.

    Zero day refers to attacks that are released before the flaw is publically known. It's based on the specific flaw, not the application in general. Zero day attacks are nasty on two fronts - first, no one has specific protection or detection available for it, second, as mentioned, they are sometimes used on very specific targets. There was a recent string of what appears to be industrial espionage where very specific people have been sent MS Office attachments with previously unknown exploits in them.

  10. Oh, okay... by Skudd · · Score: 5, Interesting

    Avoid the bug by turning off JavaScripting. Does anyone else see the issue with that?

    One acronym: AJAX.

    Looking at a variety of server logs for websites I'm currently in charge of, I see that Internet Explorer, even among the "geek" crowd, still has a very strong foothold in the browser market. I've worked closely with customers of my own and even after explaining the threat to them, they continue to use IE.

    Thanks to Web2.0 (and various other forms of propganda), Asynchronous JavaScript and XML (AJAX) has all but taken over the Internet. Now, with a bug such as this, the AJAX-driven sites are in trouble (assuming every IE user does turn off JS).

    I'm not about to start a "Browser War" with this entry, but I have to say; IE is a very volitile threat, and an Open Source replacement would more than benefit the well-being of the Internet as we know it. Pick your poison - Firefox, Mozilla, Opera, Lynx, wget - they're all superior to IE in the sense that they are not an integral portion of the operating system, thus they pose less risk to the security of said OS.

    Rather than disable JavaScript in every IE install in the world, take the time to replace IE with something far less dangerous and educate the user on the dangers of using IE over the replacement.

  11. Re:Let's help users move away from IE. by Anonymous Coward · · Score: 5, Insightful

    because their vulnerable computer, once part of a botnet, can be used to help attack our computers.

    why should we get our friends to fix the brakes on their, car? afterall, it's their car, right?

  12. Re:Why disable javascript? Change to firefox ... by Winterblink · · Score: 4, Informative

    Because whether you like it or not, in some places the corporate standard is Internet Explorer, and people might not have the ability to install an alternative browser.

    --
    "I'm a leaf on the wind. Watch how I soar."
    -Hoban Washburn