Slashdot Mirror
Zero-Day Team Launches with Emergency IE Patch
Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."
but it didn't have anything to do with DRM
Summation 2
The majority of exploits could be stopped if Windows users switched to Firefox. However, getting Joe User to switch from IE to firefox is difficult, especially when he percieves no problems with IE. The majority of exploits in the wild today hide themselves from the user, and turn their machine into a Zombie node without their knowledge. Because Joe User doesnt know anything is wrong with his computer, he keeps using his unpatched IE and helps spread the exploit even further.
Yahma
Try http://www.blastproxy.com/ for a fast, free and anonymous proxy to bypass firewalls at work & school
Try http://www.mortgagetricks.info/ for free tips, tricks and advice on how to get a low mortgage rate.
Their time would be better spent on improving Free Software instead of trying to plug holes of closed-source software. Microsoft does not appreciate help like this.
I'm just amazed that it took this long for it to become big news that this kind of thing is going on.
Honestly I'm suprised it took this long for something like this to happen. You patch once a month on a specific day.. obviously they are going to time their attacks for when they will inflict the most damage.
Wish that were the case ..
.. and on those networks we tried limited rollouts of Firefox ..
.reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.
... well your credibility just got shot down.
I manage several networks
1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but offers us logging (required by law) and it helps with the overloaded internet connection Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a
2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work
= Grow a brain...
This is neat. Kudos to these guys, and I'm glad they're doing what they're doing.
But it isn't a long-term solution; it still depends on human-speed recognition of the exploit and development of a patch.
What we need is the spread of viruses/worms/trojans whose payload is the removal of malware. Internet antibodies, as it were. The ultimate goal ought to be an antibody - or, to coin a term, an ant.iBody (ant.eBody?) - software that heuristically determines what is malware and what is legitimate software, preventing the former while allowing the latter and propagates itself across the network.
Of course, deploying something like that would break all sorts of computer security laws...but it's not like that stops anything else.
Reality has a conservative bias: it conserves mass, energy, momentum...
Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."
Very noble of him to volunteer, but we all know what happens in the movies to the character who mistakenly sacrifices themselves to defend the bad guy. At this moment, chairs are flying and the heavy weights at M$ are screaming things like, "This guy is making us look bad! Steve smash!" A much cooler arch villain grins a maniacally at his underling and contemplates co-opting as much of the work as possible before dropping both of them into a pool of red hot magma.
What will the real world fate be for poor Stew? DMCA suit? C&D for trade secret or patent infringement? Who knows! But none of it will really make windoze a place that's safe for your work.
Friends don't help friends install M$ junk.
I think they should have been a LOT more religious about writing secure code back when they claimed to be focusing on security and such. I haven't noticed any slowdown in the frequency on new exploits and no real increase in the delivery of patches. But if they haven't found religion in writing secure code, I think it's about time they did.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
I've also found a "killer feature" to be AdBlock.
Okay, so it's not really a 'feature' of Firefox per se. But it's one of those things that even relatively ignorant users can grasp and realize the value of, and once you start using, there's really no going back. And it's so easy to install on FF, you can kind of sell it as a package deal.
Set your mom/dad/grandmother/coworker up with Firefox+AdBlock+Filterset.G, and between the tabs and the lack of advertising, you'll probably have gotten a convert for life.
The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Comments: 1) Make all outbound port 80 requests be routed via the transparent proxy; there shouldn't be any settings in each workstation's browser. This forces everything through the proxy, no matter what. Add other ports (i.e. 8080, etc.) as appropriate. 2) If Firefox doesn't work with some sites, then install the IE View and IE Tab extensions. You can change the rendering engine for the page in Firefox. Yes, it does use IE, but, that way, your users can view most sites in Firefox without switching applications (99% of the time, anyway). You will still have to keep IE patched.
I don't reply to Anonymous posts; if you have something to say to me, identify yourself or I won't reply.
"But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work ... well your credibility just got shot down."
I disagree. It just means their BANKING site doesn't pay much importance to security and so it isn't worth it in the long run.
Easy, shove a .reg file to the machine to disable access to that tab. Easy to bypass, yes. For a geek. But for a general user, not quite so easy for them.
GPO. Then they can't bypass it because the setting will be re-applied.
Also, you can edit one of firefox files that's just plain text to hide those menu settings. It's been awhile since I've done it, but if you do a search for firefox and kiosk you should find the instructions.
If the .reg file is an adequate solution for IE, then a userChrome.css file that simply sets the relevant preference panel to display: none, and a user.js file to reset the proxy settings at each startup (in case the user knows how to find about:config) should be equally adequate.
Just went to look it up. They of course didn't bother to tag the groupbox with an id ("grandmothers don't need easily modifiable chrome!" - meh, give me SeaMonkey any day of the week), but you can hide the "connection settings" button with the following rule: #catProxiesButton { display: none !important; }
Well, as you point out, one solution is to patch the code for yourself. If IE *didn't* have the feature of being able to selectively disable UI elements, what do you think your chances of successfully badger Microsoft to implement it would be? An academic question, but one worth thinking about. A less academic thing to think about is the risk of IE infecting your machines, and the extra work required to negate this risk, and to repair damage when it occurs.
My second suggestion would be to set up a transparent proxy redirecting port 80 traffic through your proxy server. Voila ; ALL port 80 traffic now goes through the proxy.
Or just lock off traffic through port 80, and openly publish the settings for your proxy server.
But they dont want to. There are thousands and thousands of sites that have hacked up code to step around the bugs in IE. They all will break if they lost back ward compatibility to these harebrained hacks that depend on the bugs in IE. MSFT considers it a big loss of face if more sites work in FF than in IE. If they fix all their bugs and holes in IE, more sites will work in Opera and FF than in IE. That is a big no no. That is why they tread cautiously making sure they fix the hole, just that hole, and nothing but that hole, and fix it just enough, so that most of the other hacks can continue to work. That is why they are so slow in responding. That is why the fix has to be fixed and fixed again.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Did you try Googling for your problem?
'lock firefox proxy settings'
The first hit is this link:
Granted it's Mac, but it shows you that Firefox can indeed lock it's proxy settings. And without really delving into the article it looks as if it would be very difficult to override by 'non' geeks.
People in cars cause accidents....accidents in cars cause people
and the second point:
Firefox plug-in IE View
Description: Lets you load pages in IE with a single right-click, or mark certain sites to *always* load in IE. Useful for incompatible pages, or cross-browser testing.
I like the idea that you can tell users, if it doesn't seem to look right, try this...and then have them default the few non-compatible sites to use IE. Trains them that IE is 'different' and Firefox is more standard.
People in cars cause accidents....accidents in cars cause people
Well it clearly isn't a transparent proxy if you have to configure it at the client end.
Anyway, if the proxy is compulsory surely you should block all direct web traffic so that it actually is compulsory!
Homme petit d'homme petit, s'attend, n'avale
.... from any of the following links:
www.getfirefox.com
www.opera.com
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I agree. MS delaying patches is dumb. If large corporations want a schedule for their updates, by all means, they should make one -- of their own. If MS released updates when they were finished and ready, large shops could still schedule their updates however they wanted. If they felt a patch warranted updating early, they could deploy. Why depend on Microsoft to decide that for you?
What you're describing is not a transparent proxy server. It's just a normal proxy server, that has to be configured in the browser. A transparent proxy server is where your firewall hijacks all outbound traffic on port 80 and reroutes it to the proxy server's IP without the browser knowing about it. This would solve your problem.
Another option you may want to look into (it won't help with the issue of users being able to turn it off, but it might make configuration easier) is Web Proxy Automatic Detection (WPAD). Start by making a Proxy Automatic Configuration (PAC) file, which is just a bit of JavaScript code that tells the browser what proxy server to use. For example:
Put this file on an internal web server. Name the file "wpad.dat", and configure the server to give the MIME type as application/x-ns-proxy-autoconfig, for example:
Now, configure your internal DNS server to add a host "wpad" at whatever domain you're using internally to point to your web server, so that http://wpad/wpad.dat will return the PAC file you've created.
Finally, to cover all the bases, make it explicit in your DHCP server. Set this global option in dhcpd.conf:
Then add this within your subnet declaration:
Internet Explorer breaks without the trailing \n. I'm not sure if it has to be \n, or if some other character would work better, but this seems to work just fine.
Sounds complicated! But just remember, you only have to do this once. Internet Explorer and Firefox will both respect it automatically, out of the box, with no client-side configuration at all. One caveat: Mac OS X does not currently support WPAD; I'm hoping Apple fixes this in 10.5 "Leopard" next spring, but I haven't seen anything official about it. In the mean time, Mac clients have to set the URL of the PAC file manually. WPAD works in Firefox on Mac, but see bug 327381 if you're running it on a laptop (I don't know if that bug applies to Windows as well).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code.
/> />r ictions.exe -o"%PROGRAMFILES%\Mozilla Firefox\" -y' />
It's actually pretty easy to disable anything in Firefox/Mozilla.
1. Open Firefox and set the options you want to preconfigure/lock such as the proxy settings.
2. Look in Firefox's config directory for a file called "prefs.js". Under Linux this is in "~/.mozilla/*.default/". Under Windows, this is in "Application Settings\Mozilla\*.default\". On OS X it's in "Library/Mozilla/Firefox/*.default/".
3. Copy the file to lock.js and open it in a text editor.
4. Leave the first line as is (the # line). For any option you want to lock, set "user_pref" to "lockPref". For example:
# this line is required. don't remove
lockPref("network.proxy.ftp", "proxy.somemachine.org");
lockPref("network.proxy.ftp_port", 3128);
lockPref("network.proxy.http", "proxy.somemachine.org");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.ssl", "proxy.somemachine.org");
lockPref("network.proxy.ssl_port", 3128);
5. Download moz-byteshift.pl and run it like this:
moz-byteshift.pl -s13 < lock.js > mozilla.cfg
6. Copy the mozilla.cfg file to the root of the Firefox install directory. This is "/usr/lib/firefox/" on most Linux distros, and "c:\windows\Program Files\Mozilla Firefox\" on Windows. On OS X it's in the "Firefox.app" directory.
7. Inside of the Firefox install directory, open the file "greprefs/all.js" and add this line to thee bottom:
pref("general.config.filename", "mozilla.cfg");
The user can no longer change the proxy settings, or any other setting you choose to lock.
This works everywhere and options are identical across platforms (except when they include file paths). The only place I haven't had it work is Ubuntu, which apparently does something to break the feature. The method they provide to provide the functionality does not appear to work (I spent a few days googling and trying everything before just disabling the built-in and installing the official build).
Deploying is easy. All you have to do is copy the greprefs/all.js and mozilla.cfg files to the clients. With WPKG this is trivial. Just make sure only the administrator can write to all.js and mozilla.cfg, also make sure that all users can read the file.
Here, I'll even help you out with WPKG. Just save "mozilla.cfg" and "greprefs/all.js" as a self-extracting file with 7-Zip:
<?xml version="1.0" encoding="UTF-8"?>
<packages>
<package id="firefox_restrictions" name="Firefox restrictions" revision="20060922" reboot="false" priority="1">
<depends package-id="firefox"
<check type="file" condition="exists" path="%PROGRAMFILES%\mozilla.cfg"
<install cmd='%SOFTWARE%\firefox_restrictions\firefox_rest
</package>
</packages>
Any time you need to push new updates out, just change the revision to the current date.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks