Slashdot Mirror
Zero-Day Team Launches with Emergency IE Patch
Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."
Wish that were the case ..
.. and on those networks we tried limited rollouts of Firefox ..
.reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.
... well your credibility just got shot down.
I manage several networks
1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but offers us logging (required by law) and it helps with the overloaded internet connection Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a
2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work
= Grow a brain...
I've also found a "killer feature" to be AdBlock.
Okay, so it's not really a 'feature' of Firefox per se. But it's one of those things that even relatively ignorant users can grasp and realize the value of, and once you start using, there's really no going back. And it's so easy to install on FF, you can kind of sell it as a package deal.
Set your mom/dad/grandmother/coworker up with Firefox+AdBlock+Filterset.G, and between the tabs and the lack of advertising, you'll probably have gotten a convert for life.
The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Comments: 1) Make all outbound port 80 requests be routed via the transparent proxy; there shouldn't be any settings in each workstation's browser. This forces everything through the proxy, no matter what. Add other ports (i.e. 8080, etc.) as appropriate. 2) If Firefox doesn't work with some sites, then install the IE View and IE Tab extensions. You can change the rendering engine for the page in Firefox. Yes, it does use IE, but, that way, your users can view most sites in Firefox without switching applications (99% of the time, anyway). You will still have to keep IE patched.
I don't reply to Anonymous posts; if you have something to say to me, identify yourself or I won't reply.
If the .reg file is an adequate solution for IE, then a userChrome.css file that simply sets the relevant preference panel to display: none, and a user.js file to reset the proxy settings at each startup (in case the user knows how to find about:config) should be equally adequate.
Just went to look it up. They of course didn't bother to tag the groupbox with an id ("grandmothers don't need easily modifiable chrome!" - meh, give me SeaMonkey any day of the week), but you can hide the "connection settings" button with the following rule: #catProxiesButton { display: none !important; }
Well, as you point out, one solution is to patch the code for yourself. If IE *didn't* have the feature of being able to selectively disable UI elements, what do you think your chances of successfully badger Microsoft to implement it would be? An academic question, but one worth thinking about. A less academic thing to think about is the risk of IE infecting your machines, and the extra work required to negate this risk, and to repair damage when it occurs.
My second suggestion would be to set up a transparent proxy redirecting port 80 traffic through your proxy server. Voila ; ALL port 80 traffic now goes through the proxy.
Or just lock off traffic through port 80, and openly publish the settings for your proxy server.
Did you try Googling for your problem?
'lock firefox proxy settings'
The first hit is this link:
Granted it's Mac, but it shows you that Firefox can indeed lock it's proxy settings. And without really delving into the article it looks as if it would be very difficult to override by 'non' geeks.
People in cars cause accidents....accidents in cars cause people
If the majority of users use Firefox, then Firefox becomes the target of those hackers. Firefox is written in C++ just like IE. There is no superior technology or anything that would help to make Firefox inherently more secure. Sure, there are many eyeballs to check the source for security leaks, but the bad guys will also be able to use the source then. So far publicized sources have not prevented software from having exploitable security leaks. The Mozilla guys may offer more frequent patches (which would increase security, but reduce reliability..), but this will not solve the problem itself.
What you're describing is not a transparent proxy server. It's just a normal proxy server, that has to be configured in the browser. A transparent proxy server is where your firewall hijacks all outbound traffic on port 80 and reroutes it to the proxy server's IP without the browser knowing about it. This would solve your problem.
Another option you may want to look into (it won't help with the issue of users being able to turn it off, but it might make configuration easier) is Web Proxy Automatic Detection (WPAD). Start by making a Proxy Automatic Configuration (PAC) file, which is just a bit of JavaScript code that tells the browser what proxy server to use. For example:
Put this file on an internal web server. Name the file "wpad.dat", and configure the server to give the MIME type as application/x-ns-proxy-autoconfig, for example:
Now, configure your internal DNS server to add a host "wpad" at whatever domain you're using internally to point to your web server, so that http://wpad/wpad.dat will return the PAC file you've created.
Finally, to cover all the bases, make it explicit in your DHCP server. Set this global option in dhcpd.conf:
Then add this within your subnet declaration:
Internet Explorer breaks without the trailing \n. I'm not sure if it has to be \n, or if some other character would work better, but this seems to work just fine.
Sounds complicated! But just remember, you only have to do this once. Internet Explorer and Firefox will both respect it automatically, out of the box, with no client-side configuration at all. One caveat: Mac OS X does not currently support WPAD; I'm hoping Apple fixes this in 10.5 "Leopard" next spring, but I haven't seen anything official about it. In the mean time, Mac clients have to set the URL of the PAC file manually. WPAD works in Firefox on Mac, but see bug 327381 if you're running it on a laptop (I don't know if that bug applies to Windows as well).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code.
/> />r ictions.exe -o"%PROGRAMFILES%\Mozilla Firefox\" -y' />
It's actually pretty easy to disable anything in Firefox/Mozilla.
1. Open Firefox and set the options you want to preconfigure/lock such as the proxy settings.
2. Look in Firefox's config directory for a file called "prefs.js". Under Linux this is in "~/.mozilla/*.default/". Under Windows, this is in "Application Settings\Mozilla\*.default\". On OS X it's in "Library/Mozilla/Firefox/*.default/".
3. Copy the file to lock.js and open it in a text editor.
4. Leave the first line as is (the # line). For any option you want to lock, set "user_pref" to "lockPref". For example:
# this line is required. don't remove
lockPref("network.proxy.ftp", "proxy.somemachine.org");
lockPref("network.proxy.ftp_port", 3128);
lockPref("network.proxy.http", "proxy.somemachine.org");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.ssl", "proxy.somemachine.org");
lockPref("network.proxy.ssl_port", 3128);
5. Download moz-byteshift.pl and run it like this:
moz-byteshift.pl -s13 < lock.js > mozilla.cfg
6. Copy the mozilla.cfg file to the root of the Firefox install directory. This is "/usr/lib/firefox/" on most Linux distros, and "c:\windows\Program Files\Mozilla Firefox\" on Windows. On OS X it's in the "Firefox.app" directory.
7. Inside of the Firefox install directory, open the file "greprefs/all.js" and add this line to thee bottom:
pref("general.config.filename", "mozilla.cfg");
The user can no longer change the proxy settings, or any other setting you choose to lock.
This works everywhere and options are identical across platforms (except when they include file paths). The only place I haven't had it work is Ubuntu, which apparently does something to break the feature. The method they provide to provide the functionality does not appear to work (I spent a few days googling and trying everything before just disabling the built-in and installing the official build).
Deploying is easy. All you have to do is copy the greprefs/all.js and mozilla.cfg files to the clients. With WPKG this is trivial. Just make sure only the administrator can write to all.js and mozilla.cfg, also make sure that all users can read the file.
Here, I'll even help you out with WPKG. Just save "mozilla.cfg" and "greprefs/all.js" as a self-extracting file with 7-Zip:
<?xml version="1.0" encoding="UTF-8"?>
<packages>
<package id="firefox_restrictions" name="Firefox restrictions" revision="20060922" reboot="false" priority="1">
<depends package-id="firefox"
<check type="file" condition="exists" path="%PROGRAMFILES%\mozilla.cfg"
<install cmd='%SOFTWARE%\firefox_restrictions\firefox_rest
</package>
</packages>
Any time you need to push new updates out, just change the revision to the current date.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks