New Zero-Day Vulnerability In Windows

Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."

Just curious

[realmolo]

Seems there is always a new "zero day" exploit for Windows. Most times, the exploit can be activated simply by visiting a webpage that has been crafted to take advantage of it.

Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

Re:Just curious

[Opportunist]

The odds depend entirely on you.

The attack vector is a link to the bogus page. Now, how do you get a link to a user and make him click? Usually this is done either by email (click here for big boobs or fat cash) or on a webpage (same).

In the meantime, you can also have it on a banner, where the one wanting to infect you buys ad space on a ... let's say less prestigious page of our beloved web. Usually also pages that promise big boobs, fat cash or free software.

Well, technically, you get free software...

Re:Just curious

[this+great+guy]

The odds also depend on time. Because as with every vulnerability, it only get worse over time: more bad guys become aware of how to exploit it, methods of exploitation become more reliable, etc.

Re:Just curious

[todd10k]

"(click here for big boobs or fat cash)" Should'nt that be "click here for fat boobs and big cash"?

Re:Just curious

[BillTheKatt]

A lot of sites use third-party advertisers, you never know what those advertisers will do. I was just infected 2 days ago with a rootkit, Goldun or something like that. This is on a fully pactched XP SP2, IE7 and Symantec 10.0 system. Symantec said it caught it, but apparently didn't. Took a few tools to get that out and I didn't have a lot of reason to suspect something, since Symantec said it blocked it. I was wondering how that had gotten through the "secure" IE7. My guess is this. Now I'm back to surfing errr... "questionable" sites with Firefox.

Re:Just curious

[Foofoobar]

I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions. Usually the link comes via spam.

Re:Just curious

[whitehatlurker]

I've been clicking on your link for big boobs, and nothing is happening. What's going on here?

Re:Just curious

[cheater512]

Would you know that you were infected by a exploit if you went to a specially crafted page?

You'd probably put the spyware down to something else.

Re:Just curious

Does anyone actually know anyone that has been affected by any of these exploits?

That you don't know such incidents or can't detect such attacks, doesn't mean they're rare.

Re:Just curious

The solution is to stop using IE altogether, genius. How many rootkits do you need to get this through your thick skull? There is no thing as surfing questionable or not questionable sites. All sites should be considered questionable.

All it takes is one "not questionable" site to be hacked, one unexpected link that you click before you think, one shady advertiser who decides to use a fancy new 0-day exploit. Is it really worth your time? Especially since you already have and use Firefox.

Re:Just curious

[Rosyna]

I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions.

Often times people will exploit it via normal advertisers, or find some exploit on some other software used by a website (the myspace flash exploit) or they'll find an exploit in some software the webserver uses such as phpBB, some dashboard software/configuration manager, or some other easily exploited piece of a webserver (as seen in the WMF exploit). They use one exploit to pass on another. It's really quite ingenious how some of these malware writers pile on exploits.

Re:Just curious

[ThinkFr33ly]

It's not as low as you might think. All it takes is somebody to insert exploit code into a banner advertisement on a major online ad network and sites that you trust all of a sudden become malicious.

Re:Just curious

"Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

Well here is your answer...From a new install of ubuntu. My daughter was stupid enough to follow a link through msn messanger. The site she visited hosed explorer and did all sorts of nasty things to windows 98 because msn messanger defaults to IE on links! There is more crap on her drive than you can imagine, most of which I have never heard of before. I restored her MP3s from the old drive and gave her a nice safe install of Ubuntu 6.06. On an old 20 gig that I took out of a hosed win2000 box.

Now she uses gaim and xmms and is delighted with the fact that her digital camera is working again. So there are lots of users out there just waiting to get hosed, fact is that most people I talk to want to try out Linux and are getting very pissed with Redmond. That includes small business that have employees that like to use things like MSN messanger. Microsoft is digging its own grave.

Re:Just curious

[jamesh]

Actually, all it would take is for a TFA linked from a slashdot article to be exploited (either by a third party or by the submitter such that it didn't become visible until the peak of the slashdot effect).

Even though nobody RTFA's, many must still click the link (see "slashdot effect") hoping for pictures or something, so this would still work.

The whole slashdot audience could be wiped out overnight! Oh the humanity!

Re:Just curious

[grrrgrrr]

This kind of exploit is exactly how a lot of spyware gets installed they seem so common on windows that some companies seem to make a good living of them. So there are people that think windows is so unsafe that they are willing to invest money in spyware that tells you more then the windows marketing or the windows fan-boys tell you it is as safe as ... does it .

Re:Just curious

[rvw]

Often times people will exploit it via normal advertisers

I hadn't realised that this is in fact a very good method. Just buy some add space at Google for office products or computer hardware at attractive but not unreasonably low prices, then create an online store for these products, make a message on the website that the store is offline, et voila! The user is not alarmed, moves on, but the computer is infected.

Re:Just curious

[lseltzer]

You're right to a great degree. In practice these exploits are not on the sorts of sites that the average user is ever likely to visit. But there is some history, for instance with the WMF bug of almost a year ago, of the exploit being run through ad banner networks that work through 2nd-tier porn sites, wrestling sites, that sort of lowbrow stuff. It happens, but if you typically go to the New York Times and ESPN and the National Georgraphic and Nick.com these exploits will never affect you.

Two other things are also worth noting: If you run as a limited user the exploit will as well, and will probably fail for trying to do things it can't (like write itself to the Autorun keys in the registry). Also if you're running a mail program that's been updated since Clinton was President you can't be attacked through HTML e-mail since they all block scripting and ActiveX in mail by default.

Re:Just curious

[benplaut]

Every day is the zero'th day in Windows Town!

Re:Just curious

Right on. The guy didn't even realize he was being affected at the same time he was posting.

Re:Just curious

[dvice_null]

> Does anyone actually know anyone that has been affected by any of these exploits?

Many of the people getting infected don't know it. But don't tell me you have never heard of infected Windows machine? Or do you assume they all got ir from e-mail?

> Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

So, you think only a few people will surf on pornsites or websites that have been hacked?

Re:Just curious

I just have to say that the parent comment is unbelievably insightful and worth all its (currently) three points.

Put another way - without sarcasm - I have to say it's about the dumbest thing I've ever read at Slashdot and unless you're now visiting Slashdot for the first time you'll know just how dumb that is.

Re:Just curious

[Beryllium+Sphere(tm)]

>if you typically go to the New York Times and ESPN and the National Georgraphic and Nick.com these exploits will never affect you.

Unless the site is compromised by an attacker, or carries ads from an inadequately screened advertiser, or unless the advertiser has been 0wned.

>Also if you're running a mail program that's been updated since Clinton was President you can't be attacked through HTML e-mail since they all block scripting and ActiveX in mail by default.

That still leaves the attack vector of malicious image files. Most recently that would mean the WMF exploits, but prior to that there have been exploitable bugs in JPEG and PNG parsers. I recommend against HMTL email in any event because of the risk of being tracked by web bugs. HTML email is, pardon the technical security industry jargon, an "abomination unto the Lord".

Re:Just curious

[OriginalArlen]

Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

Oh yes. Just take a look at your local spam filter logs. A favourite tactic is to own a hosting centre farm (CPanel exploits were the favourite a couple of months back) and compromise hundreds of sites simultaneously. Alternatively, banner ad servers are a popular way to "get the message out".

Re:Just curious

[Overly+Critical+Guy]

Most affected users probably don't know that they're infected. Their machine is simply turned into a zombie without their knowing it.

Re:Just curious

[Bert64]

Or a web server gets hacked, and someone inserts the exploit code into the sites hosted there... If it's subtle enough, it would take ages to get noticed by the admins or legit viewers, unlike a defacement which is immediately obvious.
As for getting access to web servers, how many run IIS and have IE installed on them? Not to mention how many people admin their web servers from windows workstations, own the admin's workstation and you can keylog your way into the server too.

Re:Just curious

If saggy is your thing, than yeah...

Re:Just curious

[CrankyOldBastard]

I have a friends machine here - I've identified 110 viruses and items of malware on it so far. Something has screwed with the drivers sufficiently that it keeps rebooting, even in safe mode. Since they are running a pirated version of windows XP and they don't have the CDs it's a challenge finding a way to get the machine to sty up long enough to remove errant drivers. As far as I can tell it's all come from promiscuous surfing, and from installing what they describe as "free software". I'm still looking for that old w2k install cd to see if I can get it to stay up long enough to replace the dodgy drivers.

Re:Just curious

[sumdumass]

Wasn't there an issue a while back were exploit were being coded into HTML email and outlook (express too) would execute it or take you to the link and open the exploit or virus jusy by previewing it to delete the email.

Some of this had been fixed by now but I'm not sure something like this couldn't be rigged to be executed.

Re:Just curious

[Opportunist]

Well, actually, time works against the malware writers, in case you keep your OS and AV soft updated and current. What impact could a worm have that uses the same vector LoveSan used? Of course, it would hit a few unprotected and unpatched machines, but it would never be as devastating as it was, at the very least company computers will not be affected in the same way.

Unless their admins are really careless.

Re:Just curious

> Now, how do you get a link to a user and make him click?

What about the load links in the background option?

Re:Just curious

Do what the majority of windows sys-admins do...use http://www.knoppix.org//. A much better way to fix windows than anything MS offers. Read write of ntfs is quite stable and there are all sorts of tools to do just about anything. Better still just install Ubuntu and give the puter back without saying a word...in fact you can run word docs just fine, do mp3s, convert and ripp cds and dvds if you know how. On top of this you can surf all the pron you want without worry of getting pOWNED.

Re:Just curious

[dbIII]

I was just infected 2 days ago with a rootkit ... Took a few tools to get that out and I didn't have a lot of reason to suspect something, since Symantec said it blocked it.

What used to be the professional thing to do if an unknown person gets root access is to pull the plug, install on a new drive and restore from backup and interactive copying of any necessary files on the compromised volume that you can be sure are OK. How do you really know what happened when your computer was owned?

Reinstalling is a pain - paticularly with MS Windows and the habit a lot of MS Windows users have of not having an install source for a lot of their software (aaar matey!) - so we get this situation of large numbers of compromised machines that might be OK but doing things properly is too inconvenient.

Hey, Linux weenies!

Interesting graph for you to ponder.

Re:Hey, Linux weenies!

As greater numbers of people willing to switch to linux, that is willing to learn, struggle, change software if necessary, actually make the switch the rate of switching will decrease. I would hardly say the linux market is at saturation, but that isn't even the topic of this article. As a sexy nerd-girl once said, "Once you go linux, you never go Mac."

Re:Hey, Linux weenies!

[Dunbal]

As a sexy nerd-girl once said,

      Lay off the caffeine, dog. Now you're seeing things. There ain't no such thing as a sexy nerd girl. There are plenty of sexy girls (directly proportional to the amount of beer you've had), and there are some nerd girls. But sexy nerd girls? No way, unless you are really wasted.

Re:Hey, Linux weenies!

[ploss]

http://www.google.com/trends?q=linux%2Cwindows&cta b=0&geo=all&date=all

there's no trend here. windows searches are decreasing also.

Re:Hey, Linux weenies!

[MichaelSmith]

But sexy nerd girls? No way, unless you are really wasted.

Its funny because the other week I was waiting at the supermarket checkout behind three of the ugliest women I have seen in a long time. Not offensive, just not ... very ... attractive.

Their credit card transaction was going through. One of them appeared to be entranced by the flickering lights of the network gear embedded behind the register. She turned two one of her friends and said I think the hourly transfer is about to run...ah there it is.

Geeks! And supermarket IT geeks at that.

Re:Hey, Linux weenies!

[jaredmauch]

Since *BSD is dying and there are no good looking geek women, last chance to view BSD vs Linux.

Re:Hey, Linux weenies!

Say what?

Re:Hey, Linux weenies!

Since *BSD is dying and there are no good looking geek women, last chance to view BSD vs Linux.

I'm so confused. All I remember is clicking on some link about BSD, then I muttered "Sweet Jesus", after that everything gets kinda fuzzy, but when I woke up all my machines were running FreeBSD.

Re:Hey, Linux weenies!

"There ain't no such thing as a sexy nerd girl."

nerd n. 1. [mainstream slang] Pejorative applied to anyone with an
      above-average IQ and few gifts at small talk and ordinary social
      rituals.

Sorry, I beg to differ with you. I have met quite a few nerd hotties in the valley. And as an example, Jeri Ellsworth is one hell of a hacker (geek, nerd, etc) and she is easy on the eyes http://images.google.com/images?hl=en&q=Jeri+Ellsw orth&btnG=Search+Images

Re:Hey, Linux weenies!

[Dunbal]

Jeri Ellsworth

      Like the romans said, you can't argue taste. Ewww. As far as I'm concerned, my point stands. But then again I must concede that yes, at least she LOOKS female.

Re:Hey, Linux weenies!

`But sexy nerd girls? No way, unless you are really wasted`

You sir, are a moron - or just pain lazy!
I give you the following references to consider:

http://www.nerdpr0n.com/anna/
http://www.nakkidnerds.com/hellothere.php

Remember, I assert they exist, not that they are easily attainable.

Re:Hey, Linux weenies!

No sexy nerd chicks in the US of A They are only available in Canada pity!

Re:Hey, Linux weenies!

Even more interesting: http://www.google.com/trends?q=oral%2Canal%2Cpussy &ctab=0&geo=all&date=all

Re:Hey, Linux weenies!

[Overly+Critical+Guy]

Why is there no trend simply because Windows searches are also decreasing?

In fact, the graph shows Windows searches beginning to increase again.

Re:Hey, Linux weenies!

Oh ye of little faith. Click here for for a nerdy beauty and contemplate adding Mr. Easterbrook to your weekly reading: http://sports.espn.go.com/espn/page2/story?page=ea sterbrook/060919#cheerleader

Re:Hey, Linux weenies!

[RandomPrecision]

Interesting indeed. My conclusion: people have to check the internet to find what's wrong with Windows more often than people have to check to see what's wrong with Mac or Linux.

My first first post!

[BrowserCapsGuy]

Yippie.

Re:My first first post!

[BrowserCapsGuy]

Damn you, realmolo.

Re:My first first post!

Fool. AC got the FP, you fail even worse. go cry in a corner.

Darn

[blantonl]

I've been looking at porn all night.. it is saturday you now!.... jeeze.. I better start scanning my machine now (or stop looking at porn) .... (or reload my machine).

Re:Darn

(or stop looking at porn)

Get a hold of yourself man, you're talking crazy.

Re:Darn

[Eideewt]

I'm sure he's already got a hold on himself.

Re:Darn

This is an urban legend. I've been surfing these pr0n sites all night and
CARRIER LOST

Re:Darn

[moro_666]

yes, he probably has, a firm hold of himself, maybe slightly lubricated hold ...
you're gonna have to wipe a lot of stuff after that "hold", more than just bits'n'bytes

as to weenies a few posts up complaining that there are no sexy geek-chicks out there, yes there are ,but sorry guys, they just don't talk to complete losers that waste their time on slashdot and who have to look for girlfriends {given that they'd have time to look besides lubricate and /. } ;)

"Trusted" Websites

[TheStonepedo]

For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree. There are settings in IE which decide which goodies [javascript, (un)signed activex controls, etc.) can be run from which websites. When installing Server 2003, just about everything is out-of-bounds in the default IE. If Microsoft would advocate such tight controls by default on all Windows distributions, or even publish its own list of trusted 3rd-party sites, risks could be reduced. The malicious folks who take advantage of zero day exploits tend to be in the seedier parts of the tubes anyway.

Re:"Trusted" Websites

[0racle]

And if MS published such a whitelist so many of Slashdots readers would get up in arms about leveraging their monopoly and various other terms they don't really understand. That said, it really isn't Microsofts place or duty to police the internet and say what is and is not safe.

Re:"Trusted" Websites

[Opportunist]

It's also not their duty to tell me what content I can watch and which one I cannot...

Re:"Trusted" Websites

[GIL_Dude]

That's true, but so is the statement that "it isn't their duty to take the trash out for you.", however I don't see your point. If you are trying to send a barb at DRM, it doesn't tell you what you can watch and what you can't. It limits how you can watch it and might make you buy it again to shift format (which sucks and all that - I am against DRM). However, you really aren't making a point by saying they are telling you what you can and can't watch - that is what the government and FCC do.

Re:"Trusted" Websites

[springbox]

These sorts of problems seem to happen frequently with IE. Making a default white list to add to "trusted sites" is just a band aid. Microsoft could solve the problem by fixing the holes in the browser that let such exploits through. If IE7 is any indication though, I'd be surprised if MS was interested in actually fixing it at this point.

Re:"Trusted" Websites

[Bacon+Bits]

The problem is as it always was: ActiveX. MS can't block ActiveX because any product that uses IE as the front end with ActiveX controls is suddenly broken. *Lots* of corporate web-based programs employ ActiveX controls. Everything from Flash to Acrobat Reader to Windows Update uses ActiveX.

A best-case scenario would be to allow Administrators to blanket-block All ActiveX controls except for a select few. You can actually do this with the IE Admin Kit and Group Policy, but it is exceptionally difficult to administer, IMX. MS didn't do a good job of allowing IE to be controlled with AD policy because IE's security model is essentially to treat IE as essentially a separate entity for rights and permissions.

Of course, the vast majority of these zero-day ActiveScripting attacks don't work in well-run corporate environments because users there don't have local Admin rights and the ActiveX controls don't function correctly then. Unfortunately, software vendors tend to assume the user is an admin, so you can't always make your users into just Users.

Re:"Trusted" Websites

How many users expect to use plan text to surf the web?

Ohh thats right, everyone that calls in on the support line whining their internet is broke. got it.

The new internet now only runs via netcat and $PAGER. enjoy!

Re:"Trusted" Websites

Hah! Have you ever actually tried to use IE "Enhanced Security Configuration" for browsing? It's borderline unusable (especially on an intranet), which is why it's "secure" at all.

Re:"Trusted" Websites

[v1]

My take on it is, if MS wants to protect the people, why is it blocking the harmful web sites?

Isn't it a bit like disbanding the police force and trying to get guns outlawed?

The web sites aren't the problem. They are doing exactly what you'd expect them to do in a random free society, they are taking advantage of suckers. And in this case, windows is a big dum-dum pop. The problem has to be solved on the computers, not on the web sites.

I suppose another way to look at it would be for you to take all that money you were going to spend on locks and deadbolts and an alarm for your house, and instead donate it to the police force. Yes, if you manage to get rid of all the criminals in your neighborhood you might be safe, but do you really think that's ever going to happen?

You cannot make a safe system by starting with an insecure-by-design system and apply layer upon layer of security on top of it. It never works. If you want it secure, it has to start with a reasonably small amount of external security on top of a solid internal design.

Re:"Trusted" Websites

Have you actually tried using the "security enhanced" IE in Server 2003? More security alerts than Vista. Completely infeasible for the desktop (and nearly useless on the server as well).

Re:"Trusted" Websites

[Monsuco]

For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree.

I think part of their changes in Vista (particularly the making IE and Explorer Separate, which also sort of happens with IE 7 on XP) is an attempt to stop having to cover their ass as much. IE has proven to be a lot of work for MS, and many of their employees say that the whole perpouse was to crush netscape, which they decided wasn't really worth it. Hindsight is always 20/20 I guess.

Re:"Trusted" Websites

[Opportunist]

Well, it also has the power to tell me what I can watch and what I cannot. If a certain movie is not deemed "appropriate" in my country, I'm out of luck. If a certain content is deemed "secret", you cannot show it to others.

Has anyone ever considered the implications of DRM for whistleblowing? Leaked information has more than once been the first and only warning that something is running very wrong. This can be put to an end very efficiently with DRM.

You can in theory even retroactively nullify information. Rewriting history has never been easier.

LOL

the gayer the city, the more people search for Macs

Re:LOL

[filterchild]

Some of us gays prefer to stick with Linux, thanks.

Re:LOL

It's because of that OH SO SEXY man that plays the Macs on the Apple ads.

Seriously, Is Firefox susceptible to this too?

[pentalive]

Or is it only via IE.

What other ways can this exploit be triggered?

Re:Seriously, Is Firefox susceptible to this too?

[Shados]

Its the forever plague of the ActiveX vulnerabilities (though semi-indirectly in this case). So Firefox is safe. Anything that uses XMLHTTP control in a way that it could get arbitrairy inputs is vulnerable.. In other words, Internet Explorer, anything that uses MSHTML straight to connect to random web sites (its safe if its only trusted web sites), so that includes Outlook, etc. Thats about it. But thats too much for my taste.

Re:Seriously, Is Firefox susceptible to this too?

[1337Garda]

So, am i right in saying that IE7, the new browser that was supposed to be really secure and reliable has now got its second major security flaw since its release only a matter of weeks ago.

Re:Seriously, Is Firefox susceptible to this too?

[Shados]

Yes and no. This flaw is specific to XMLHTTP, which is kind of developed independantly. You also can use XMLHTTP without using IE at all, thats why I say its independant. Its probably a buffer overflow, and not much to do about it in this case. So yes IE7 has a flaw, but there really isn't anything they could do in the current context. -HOWEVER-, while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing. The sandboxed IE7 is on Vista only, and I'm pretty damn sure this vulnerability is not an issue there. Anyway, so its more semantic here, but you could say "yes, IE7 has a vulnerability". however, its a little bit like if there was a vulnerability in KDELIB across the board...obviously that would touch Konqueror, no matter how secure Konquerer itself is... Can't excuse that one though. IE7 on XP is far, far from secure. More secure, but not secure.

Re:Seriously, Is Firefox susceptible to this too?

[uhlume]

Only by virtue of Microsoft's attempt to provide backward compatability for AJAX sites developed for older versions of IE.

Prior to IE7, the XMLHTTP object, used to retrieve data from external sources without full-page reloads, was provided by an external ActiveX control. With IE7, Microsoft has implemented XMLHTTP natively in-browser, rendering the ActiveX control unneccesary -- however, it's still possible for older sites which haven't yet been rewritten to take advantage of native XMLHTTP support to load the ActiveX version.

The good news is, if you don't mind breaking the many AJAX-reliant sites which still use the old-style XMLHTTP object, you can disable it completely through IE7's (and IE6SP2's) Add-on management.

Re:Seriously, Is Firefox susceptible to this too?

[baadger]

...while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing.

Mark of SysInternal's posted an interesting entry on his blog back in March, Running as Limited User - the Easy Way (it's at the bottom of the page, I couldn't find a working direct link), which describes just how easy it is, with the help the SysInternals free psexec utility to drop essentially all Administrator privileges when running IE.

It isn't a complete solution, Protected Mode probably does a lot more than this, as mentioned in the entry filter window messages (another brain fucked insecure by default design) for example. Even so it is pretty poor, given that a whole load of people out there still run XP as an Administrator, Microsoft hasn't even bothered to apply such a band aid for IE7 under XP.

Microsoft released XP Home Edition for home users, and despite this specialization they've still been too chicken shit scared of upsetting a minority to change anything for the greater good of these home users. I hope for the sake of people riddled with malware and rootkits today that Microsoft actually does do a better job of specializing the various versions of Vista to the security needs of their respective target user group.

Re:Seriously, Is Firefox susceptible to this too?

[cnettel]

I was under the impression that the same MSXML code is still used under the hood (any JScript object in IE is a COM/ActiveX object, you just create them or get references to them in different ways), so depending on the actual exploit, I wouldn't be so sure that your bandaid will solve it. It should solve it for IE6SP2, though, but at the cost of disabling all AJAX.

Re:Seriously, Is Firefox susceptible to this too?

[wakim1618]

Is it ok then on a limited accounted unders windows XP (using firefox and a firewall)? More generally, how useful is browsing from a limited account against day zero exploits? As I understand it, running under a limited account means that the exploit cant do anything that I cant do as a limited user including installing stuff. But a quick google leads to statements such as " If the exploit attacks an operating system service, as Sasser and Blaster do, then it doesn't even matter whether anyone is logged on, let alone whether they are an admin. (Use a firewall.)" (http://blogs.msdn.com/aaron_margosis/archive/2004 /06/25/166039.aspx) I am admin for my parent's home computer remotely and that is their current setup. Is there something else that I be doing?

Re:Seriously, Is Firefox susceptible to this too?

Nothing can be perfectly "secure" (theoretically undecidable). You can only raise the bar. Just wanted to add that.

Re:The fix's already available

[Opportunist]

Let the distro war begin!

Just gimme enough time to grab the popcorn.

Oh good...

[Duncan3]

"all Microsoft based operating systems except Windows 2003"

Glad nobody I know is vulnerable to this. Everyone is OSX, Linux, or Win2003 for a long time now.

Re:Oh good...

[Shados]

Its sad when you think that Windows 2003 is a better desktop OS than Windows XP...a bit pricey for a desktop, too =P

Re:Oh good...

Your lack of friends does not change the percentage of people that use Windows.

Re:Oh good...

[Duncan3]

It is when you can run as non-admin and have it mean something.

3 years and zero virii, trojans, etc on any of the Win machines.

Re:Oh good...

[Shados]

That probably comes with good usage more than just the OS though. I've ran NT4, 2k, and XP for about 9 years over (I think thats right?), and didn't get even as much as a spyware on any of those, without any permanent scanners (I scan like once every 6 months or so). But the whole running in non-admin and mean something thing does sound cool.

Re:Oh good...

[makomk]

Of course, if they've modified Internet Explorer settings to the point where modern "Web 2.0" sites actually work in Internet Explorer, Windows Server 2003 users are probably vulnerable too...

Re:Oh good...

... Windows 3.1, 95ABC, 98&SE, 2k, XP, and Server2003 and never ever had a virus, and I've never run an on-access virus scanner (I have a scheduled task that scans my systems daily).

OpenBSD!

Actually, after I got tired of calling Microsoft to activate my XP on 2 different machines a zillion times I just grabbed my Win2k Pro CD and slipstreamed it to SP4, after which I used the CD to set myself up some images for QEMU and I disallow w2k to do anything except SSH and FTP to the host (Linux) machine.

Need to try this on OpenBSD too.

Running Windows with it's gonads hanging out the window is asking for trouble.

If I did not have some expen$ive proprietary software that I need to use, I'd not touch the leper. :)

A Web "browser" - implies "just looking"

[NotQuiteReal]

What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

Is that so much to ask for, of ANY browser?

Re:A Web "browser" - implies "just looking"

[The+Lone+Man]

I'm going to go away and laugh now.

Re:A Web "browser" - implies "just looking"

[TheRaven64]

Well, you could always run a browser in a virtual machine and not allow it to save state. Alternatively, it is quite easy to write a systrace policy that prevents writing to any files that are not in the cache directory (and optionally a downloads directory), and doesn't permit it to read any files other than its dependent libraries.

Re:A Web "browser" - implies "just looking"

It's going to be hard to build, parse, and render a DOM without modifying the contents of your RAM.

Re:A Web "browser" - implies "just looking"

[cheater512]

Or you could just remove the execute bit from the cache dir.

Oh wait. Wrong OS. Your screwed. :)

Re:A Web "browser" - implies "just looking"

[dreamer-of-rules]

Well, you could always run a browser in a virtual machine and not allow it to save state.

Not that you were implying otherwise, but...

It's bloody difficult to do that with the Windows Internet Explorer (explorer.exe) because it is also:
-- the File Manager
-- the Start Menu and Start Bar
-- the Desktop
-- embedded in CA Anti-Virus, Veritas, and Quickbooks and many other business apps

If you go into the Advanced options you can choose to run each instance in a different process, but that's not the default.

Stupid! Stupid! Stupid, Microsoft!

Re:A Web "browser" - implies "just looking"

[anomalous+cohort]

program ... go out to the Internet ... no way to change anything on my computer

I guess that you don't see any value in bookmarking or in caching for performance.

Actually, there is something close to what you are describing. It is called a Linux live CD with firefox on it such as knoppix.

Re:A Web "browser" - implies "just looking"

Actually, in windows xp, internet explorer is iexplorer.exe, whereas explorer.exe is everything else.

Re:A Web "browser" - implies "just looking"

[daveb]

You haven't used a virtual machine have you? go download VMWare of virtual-pc (slower but invades your system less than vmware - and the full thing is free from microsoft). You will find that there's a option to delete changes on exit. It's not hard - just a tad over the top

Re:A Web "browser" - implies "just looking"

[Technician]

WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

If you are visiting the seedier part of town and want some protection, may I interest you in a live CD?

I've used live CD's while on the road and had to use a hotel internet connection. Who knows what could be in the middle there. I fired up Ubuntu as a live CD and hit the web. Stayed away from e-mail and any finance sites while on the road. It was fine for checking mountain pass conditions for travel and entertainment via youtube and other sites.

At the end of the session, simply power off. Nothing is written to the hard drive.

Re:A Web "browser" - implies "just looking"

Try the Browser appliance from VMware; essentially firefox, running on linux, inside a virtual
machine you can trash and restart clean each time you load it.

Re:A Web "browser" - implies "just looking"

[vtcodger]

***What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

Is that so much to ask for, of ANY browser?***

Apparently it is. Web site designers are absolutely certain that you need a gazillion goodies and stand ready to deliver them whether YOU (or I) want them or not. With a few exceptions -- The Google home page- renders usably in just about any browser ever written and does not depend on Ajax, Java, Flash, or black magic-- these guys are engaged in a red queens race not seen since the great tailfin and porthole battle engaged in by US car makers in the late 1950s.

But this is just plain silly and the users hate it? Of course. But the web folks seem to think that feedback is something that makes amplifiers whine, not something that is relevant to their job. Customers -- what do they know?

Re:A Web "browser" - implies "just looking"

[citizenr]

it is called OPERA

Re:A Web "browser" - implies "just looking"

[nikster]

The browser needs to run in a sandbox that it can't get out of. Then the only exploits would be ones that get you out of the sandbox and presumably could be closed easily. That's the only security concept that can work because the number of attack vectors is minimized.

Otherwise - rendering libraries have bugs, can be made to overflow etc. So even a look-don't-touch kind of browser would be vulnerable.

I find it pretty convenient to be able to download stuff, including installers. In fact, I couldn't really imagine the internet without that. Browsers can be made secure, but there is more to it than just saying "it can't change anything on my system".

Re:A Web "browser" - implies "just looking"

open explorer.exe, goto a website. what does iexplore.exe have to do with that?

Re:A Web "browser" - implies "just looking"

It's bloody difficult to do that with the Windows Internet Explorer (explorer.exe) because it is also:
-- the File Manager
-- the Start Menu and Start Bar
-- the Desktop
-- embedded in CA Anti-Virus, Veritas, and Quickbooks and many other business apps

explorer.exe IS NOT internet explorer. there's a difference between explorer and internet explorer, you know. explorer.exe is the file manager, start bar/menu and desktop, and components can be embedded in other apps. iexplorer.exe (note the leading i) is internet explorer. Explorer is in the windows system directory, while Internet Explorer is in program files\internet explorer.

Re:A Web "browser" - implies "just looking"

What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

Is that so much to ask for, of ANY browser?

I recently set Firefox up to do almost this[1], but I don't use it. Why? Because when it can't change anything, how am I going to save those JPEGs? Firefox doesn't have access to my image folder.

[1] Well, not quite, Firefox has it's own userid and home directory, and cannot write outside that (and /tmp).

Doesn't affect windows 2003

That's cool. This is my pirate version of choice for the desktop.
Isn't even affected by WGA.

Niiice.

The best solution

[BeeBeard]

...is also the most impractical. What you do is just never network the Windows box in the first place. No internet, no intranet--nothing. If you use Windows exclusively, then this isn't really an option. You're going to want to get online eventually. But if you're double booting and running Windows for rendering applications, non-multiplayer games, office suites or whatever else that doesn't require connectivity, then you'll be fine.

Re:The best solution

[AusIV]

You are severely exaggerating. I'm no windows fan, in fact I highly encourage my friends and family to try Ubuntu, and use it on one of my computers. My laptop runs Windows because there are a few apps I like having. When I have the time I'll set up a dual boot, but for now I use Windows XP.

The computer I had before my current laptop got incredibly bogged down with viruses that entered the system through a variety of means. Eventually I found it to be unusable, and switched it to Linux. My laptop, however, has been running XP for a year and a half and I have never had a problem with viruses. For a year I ran Norton Internet Security Suite, then got fed up with it and switched to Computer Associate's derivative of Zone Alarm. A large part of this time, it has been exposed directly to the internet with no form of hardware firewall in between. The software I use most of the time is Firefox, Gaim, OpenOffice.org, an ancient DOS app for managing my checkbook, iTunes for my iPod (though I've recently started using my iPod with Amarok on my Linux box instead), and I've played a few multi-player online games. Let me reiterate that I have never had a problem with viruses. I don't like having to pay $25-50 a year for an anti-virus and firewall, and I certainly wouldn't touch IE with a ten foot stick (I've recently started referring to IE as the Firefox download utility), but it is possible to maintain a windows system without having it affected by viruses.

Re:The best solution

[aristotle-dude]

Admiral Adama? Is that you?

Re:The best solution

"Admiral Adama? Is that you?"

I was about to ask him for safer sex advise, but I fear he will reply with abstinence or even castration.

Re:The best solution

[Zwaxy]

> You are severely exaggerating.

He isn't. He said that the most certain way of avoiding vulnerabilities is not to be connected to the 'net. That's true, right?

You said:

> The computer I had before my current laptop got incredibly bogged down with
> viruses that entered the system through a variety of means.
> Eventually I found it to be unusable, and switched it to Linux.

and then went on to say:

> Let me reiterate that I have never had a problem with viruses.

Sounds to me like you have had a problem with viruses; so much so that you found they made your computer unusable.

Re:The best solution

[Jaseoldboss]

No, this problem only affects computers with browsers that support ActiveX. That's why W2K3 isn't affected because IE is configured to be virtually "text only"

Have you seen the 'mitigating factors from the MS advisory? They're hilarious:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Ahh, easy. Don't click links on the web then.

An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

That's good, the first thing Aunt Nelly does with her new PC is set up a LUA account.

The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

Put malicious sites in the Restricted Zone first, good advice - can we have a list of them please? Before anyone suggests turning off Active Scripting, that causes IE to display a warning message box every time you visit a site with Flash, making it unusable.

A much better mitigating factor would be that over 10% of users can't run ActiveX because they are using Firefox or Linux.

Re:The best solution

[BeeBeard]

I was about to ask him for safer sex advise, but I fear he will reply with abstinence or even castration.

Nonsense--I'm a progressive, 1490's man. You're allowed to choose between the two.

Re:The best solution

[azhrei_fje]

Another option is to run Windows exclusively inside a virtual machine session and prevent any persistence of changes to the virtual drive(s) in that session. If you are hacked, reboot the virtual machine and everything is back the way it was. This produces the problem of where to store data that should be persistent. The obviously place is on a "network" drive that connects to the host's filesystem. If the host is non-Windows, this has a good chance of working reasonably well, except that the virtual machine can still get to it. So after saving the data, it would need to be moved outside of the hierarchy seen by the VM. But how can you guarantee that it can be sanitized before moving it back? After all, you'll need that data at some point, or you wouldn't have saved it.

Re:The best solution

[WilliamSChips]

He isn't an Admiral anymore now that Pegasus is gone. Lee went back down to Major too.

Re:The best solution

[dbIII]

Another option is to run Windows exclusively inside a virtual machine session

It works - I've seen someone get spyware in Win4lin! Fixing it took around twenty seconds since I just had to rename the directory and copy another one into it's place.

There are also things like deepfreeze (sic?) that keep the system drive read only unless you really want it apply an update or install something - plus the hardware dependent option of dumping disk images somewhere for easy re-installs.

Re:The best solution

[nicuramar]

I guess that's why they still call him admiral in 'Torn' which is two episodes after Pegasus went down? :-p.

In Soviet Russia

[alphasubzero949]

Windows exploits you!

Re:In Soviet Russia

I thought that was true everywhere.

Request

Can anyone reply with the HTML code that this vulnerability can exploit for me?... ...

Why are you looking at me that way?

Re:GO BACK TO ENGLISH CLASS, HOMO

I'd say that I sense a logic gap but that might be "pointing out how brilliant" I am and I'd hate to upset the sour apples.

Re:sigh.

[uhlume]

You're right. This is the sort of English up with which we should not put.

Hello my name is Microsoft...

[alnjmshntr]

and I write buggy software. I am by no means a MS basher, but the security advisory that they have put out reads like an endless stream of lame excuses.

It may very well be that stupid users or badly configured systems allow these exploits to thrive but FFS Microsoft just admit that you are actually at least partially to blame.

As long as they fail to realise that they are not gods and do actually write buggy software, what hope is there that they will ever succeed in producing something secure?

Re:Hello my name is Microsoft...

[Mia'cova]

I think every single developer at Microsoft understands that no code is perfect and there will be vulnerabilities. The vast majority of these exploits are still showing up in old legacy code and not the new stuff. Plus, they know that there will, at some point, be a new wave of vulnerabilities like when XSS became popularized and much of the new "more secure than ever" code will be just as vulnerable to those kinds of attacks as anyone else's code. You say they fail to realize that they won't catch everything but don't acknowledge that by doing JUST THAT, they reduced default functionality of IE on the latest version of windows (win server 2003), preventing this bug from being exploitable in a default-settings IE. They're reducing attack vectors bit by bit with every new release. It's a major priority. That's why the latest wasn't vulnerable. Even if this bug still shipped in Vista, I would bet that even with ActiveX enabled, it probably wouldn't be exploitable thanks to improvements such as reduced privileges. Claiming that MS has learned nothing, admits nothing, or does nothing is simply wrong.

Re:sigh.

[jrobinson5]

What the summary doesn't state is that more important than "where you surf to" is "what you surf with". As the summary states, this vulnerability only covers IE.

Linux - Ubuntu

[h2g2bob]

another interesing graph

Linux searches become Ubuntu searches.

Re:Linux - Ubuntu

[TheShadowzero]

Linux searches become porn searches

Re:Linux - Ubuntu

[thzinc]

Exactly the reason correlation does imply causation. (See graph*)

* Church of the Flying Spaghetti Monster

Oh No!

[dreamlax]

Someone set up us the exploit!

Re:Oh No!

What you say!!

Re:Oh No!

[dreamlax]

What you say!!

I say "Someone set up us the exploit!" . . . what you deaf? . . . Take off every headphones.

Re:Oh No!

Your jokes are bad and you should feel bad!

Re:GO BACK TO ENGLISH CLASS, HOMO

Just let it go. No one cares. Except me. I hate having to read it. So I replied. Now I need to figure out some where else to go ... to.

"Zero day"

[Stormwave0]

Whatever happened to the days of when exploits were just called exploits? Now, everyone has to add zero day just to make it sound scary. Does anyone really care?

I, for one, am sick of the "zero day" exploits. Call them exploits, because that's what they are.

And before anyone brings it up, yes I am aware that zero day means the exploit was released the day the vulnerability was announced/discovered. That still doesn't change my opinion.

Re:"Zero day"

Okay, so "zero day exploit" is passe. Then let's change the name for this, punch it up a little and perhaps bring it more into line with the planned Vista license...

"Dear Microsoft Customer,

Recently, we detected an Unauthorized license violation, where someone other than the licensed user was using the software. As you know, this violates the terms of use as outlined in the License Agreement..."

Then they can brick the machine, requiring either purchasing a new copy of Windows or a new license, or, better yet, make an example of the culprit and bring suit against them.

Beats having to fix it!

Re:"Zero day"

[flyingfsck]

Why can't you just write 'I', without the ',for one,'? There aren't all that many schizophrenics that you need to make the distinction.

Re:"Zero day"

[David+Off]

> And before anyone brings it up, yes I am aware that zero day means the exploit was released the day the vulnerability was announced/discovered. That still doesn't change my opinion.

ahhh, I didn't know that but there is so much jargon around these days from people trying to sound sexy and intelligent I do let a lot go over my head. Thanks for the clarification. I've been hearing "zero day zero day" everywhere I thought it must be some kind of clevel attack like Birthday or something. There you go, learn something new every zero day.

Re:"Zero day"

[Caesar+Tjalbo]

First God booted into his OEM Windows (tm) XP Home,
The hardrive was an empty formatted wasteland, waiting to be filled.
Then God said, "Let there be internet," and there was a connection.
God saw the Internet Explorer icon on his desktop and clicked it.
God surfed the web. Thus sites came, and exploits followed--the zeroth day

Re:"Zero day"

M$ likes things the way they are. Broken. That way people will be so fed up they will want to purcha$e the next generation.

That's what they get

[jrmiller84]

Internet Explorer 6/7
Well that's what they get for not updating and running Internet Explorer 6/7! It's not even version 1.0!

Your vs You're

[idonthack]

Your screwed.

What about my screwed?

Mac geek girls

But sexy nerd girls? No way, unless you are really wasted.

You've never met a Mac geek girl.

Re:Mac geek girls

[Dunbal]

You've never met a Mac geek girl.

      You can keep them. Perhaps I'm spoiled, since I live in latin america. Oiga, las mujeres down here are, well, guapissimas :)

Re:Mac geek girls

The first 2 are average at best. The 3rd almost made me puke. Even drunk I wouldn't hit it.

If that's the best you could find, you've really proved there are no sexy mac geek girls!

Now for some real news

[davidwr]

You want news? Now this would be news:

REDMOND - NOV 23, 2006
Microsoft is proud to announce that for the second day in a row, now 0-day exploits were discovered in its flagship Microsoft Operating System.

Re:Now for some real news

[shird]

By definition, an exploit that is 'discovered' is '0-day'. You can't 'discover' a 0-day exploit. You discover an exploit, and the day that you publish it is the 0-th day of that exploit being known.

careful

[WisC]

Before the linux freaks start foaming at the mouth (and knob) about another windows vulnerbility, lets get things in perspective:

Most people will try and be pragmatic about a given situation and accept the lesser of two evils, in this case windows. Before you all jump on this if I asked you which language would you rather speak English (not the perfect language, but the majority of people understands and use it like windows) or Latin (Archaic, long winded, difficult to understand and only oucasts of humanity and people living in the past use it, like linux) ...Yep thought so, don't worry linux users, you can always lick up the mess from those foaming knobs

Re:careful

You're a dumbass. Mandarin is spoken by twice as many people as English. Just because you can't talk to them, doesn't mean they don't exist.

Re:careful

[WisC]

You red commie pinko, its people like you who speak mandarin and buy cheap chinese tvs from walwart that will ensure the rising and enslavement of the west by the commies

Payload

[oh_the_humanity]

Is this just a vulnerability , or is there an exploit for it in the wild. If so, what is the payload? I use a mac , so I'm not concerned for me , just the network i manage.

Re:Payload

[dreamer-of-rules]

First, the term "Zero Day means that there is an exploit already.

Second, If you had clicked on either link in the article, or bothered to read the other replies, before clicking the "Reply" link, typing in your questions, and clicking Submit, you would have discovered that an exploit does exist, and the result is "arbitrary code with the same rights as the user". Vulnerability and prevention details are in said articles.

Third, I also use a Mac and manage a Windows network. And I am restraining myself when I say, "Argh! You..!"

Re:Payload

You manage a network and you don't know what Zero Day means and can't be bothered to actually read the article. Your users are in good hands.

Hack a reputable established webpage

A trick now seems to find a reputable well-established site which gets a reasonable number of hits. Not a massive site belonging to some big company but something reasonable anyway. Hack it and then when people visit the webpage they get hacked. How do I know? Because it happened to me.

Exploits

[Mark_MF-WN]

Well, the idea is that you combine the code with a worm that can infect webservers. That way, lots of webpages will have the code, and the odds of an unprotected Windows machine being infected increase rather substantially.

Oh neato

[racebit]

Cool, a new zero day exploit for win9x/nt

In other news, it is being reported that the sun rose this morning. Tape at eleven.

Douche vs. bag

Imagine that - a post that's not informative, funny, ironic or in any way meaningful. Is this all that YOU'RE contribution to /. consists of? Sad.

Re:Douche vs. bag

Oops - there goes another one (YOUR contribution)! What a looser(!)

Re:Douche vs. bag

Imagine that - a post that's not informative, funny, ironic or in any way meaningful. Is this all that YOU'RE contribution to /. consists of? Sad.

That's funny, everyone _else_ thought it was funny :) Sore loser much?

gay?

Because straight guys prefer getting exploited and "pwnd"? Are you familiar with the robot saying "Does not compute"?

Warning warning danager danger!

[Orion+Blastar]

The Internet is not safe if you use Windows and IE 6/7. Please Do NOT click any links until these issues are fixed. If you do, you might get pwn3d by 12 year-old script-kiddies or unemployed computer geeks turned hackers that still live with their mothers in the basement and are upset at the world.

Re:Warning warning danager danger!

AAAAAAAAA!

Re:Warning warning danager danger!

[Orion+Blastar]

Don't you mean: AAAAAAAAA! instead?

Does not affect Vista

[ThinkFr33ly]

This flaw does not affect Vista users thanks to IE 7's Protected Mode feature.

Re:Does not affect Vista

I think you mean to say -
In Soviet Russia, even the flaw can't run Vista.

Re:Does not affect Vista

[someone1234]

I'm soo much relieved it, doesn't affect Vista, heh. This flaw doesn't affect my WinXP thanks to my Firefox protected mode.

Re:Does not affect Vista

[ThinkFr33ly]

I think you may have missed the point of my post.

Firefox is just as susceptible to exploits *like* this one. Bugs happen. Simple as that.

IE 7's protected mode makes bugs like these more or less meaningless, and it's the only browser that takes this fairly novel approach.

IE 7 on Vista is, without a doubt, the most secure way to browse the web.

Re:Does not affect Vista

IE 7 on Vista is, without a doubt, the most secure way to browse the web.

If you can still say that in 4 years, I'll be very surprised.

Every Microsoft Operating System?

Holy crap! Time to look for patches for my DOS 2.1 and Xenix systems!

Or, you know, look for accurate reporting. Either one, really.

Sandboxie

[daveb]

A full virtual machine (as in vmware or virtual-pc) is a tad over the top but you're right.

I don't use it much - but sandboxie impressed me a few months ago for running IE (or anything) in a semi-virtualised environment

Re:sigh.

Gah. Not every convention lumped under the category of "Correct Grammar" is actually correct.
Things like this are style issues, not hard and fast rules. This would be wrong in formal speech, but in casual speech it's just a little redundant. It doesn't cause ambiguity, so why waste your breath?

Wow MSFT is warning people early

Wow MSFT is joint mentioning this with Securia as an actual issue that needs to be addressed immediately. Thats a change.

Get $browser, when $browser != IE

[gunny01]

One attack vector is through Internet Explorer 6/7

Simple cure: Get Firefox. Or Opera, for crying out loud...

What about my Windows 95 box?

[Roy+Ward]

"... all Microsoft based operating systems except Windows 2003."

So a box running Windows 95 or DOS is at risk then?

I'm not sure which is more irritating - that the summary uses the above phrase that is not in the article, or that they article doesn't explicitly say which OS/browser versions are affected (and you'd have to go digging around to find whether you are using "XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0".

I suppose the most irritating thing for a Windows user is that this is yet another security hole.

Re:What about my Windows 95 box?

[BlenderFX]

Xenix too :)

Re:What about my Windows 95 box?

[David_W]

So a box running Windows 95 or DOS is at risk then?

No, you just aren't thinking like Microsoft. Those OSes are no longer supported, so in their eyes, they don't exist.

Separate the cache from the browser?

[Kadin2048]

Actually, it might make sense to take the caching functions out of the web browser, maybe even out of client machines entirely, in favor of network appliances. That would allow you to have very secure, locked-down browsers, while still doing caching.

I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy. I suppose it's because it would be too hard to explain to a lot of people (the kind of people who don't grok the difference between a web browser and "the Internet" to begin with) and require setup on the client machines that would incur too many support questions.

But if you look at the setup of most people's home networks, you have a relatively slow backhaul, usually only a few megabits, with a very fast and barely utilized internal network (generally at least 10-11 Mb/s, often faster).

It would make a certain amount of sense to do all the caching in a single location, at the router, and then have all the clients pull from that. Then you could access the internet from lightweight devices that didn't have any onboard storage. Plus you could probably set up some way to save the browser state between devices (like Google Browser Sync), but without transmitting any information out of the house.

By separating out the functions that require write access to a file system from the browser, you could run the browser without any privileges, but still get caching. The cache device would just save files based on when and how frequently they were accessed, without looking at them, so it would also be secure. No process would be both executing instructions in the content, and have write access to a filesystem.

Re:Separate the cache from the browser?

[glens]

Ever load a URI which contains a "?"? They're uncacheable.

Re:Separate the cache from the browser?

So what's your point? If they're uncacheable then you have less need for local storage.

Re:Separate the cache from the browser?

[jesser]

It makes more sense to give a web browser write access only to a small part of the file system than to force an entirely separate device to have a hard drive, IMO.

Re:Separate the cache from the browser?

That's simply not true, all the question mark means is that you're sending the server a series of GET requests - the web developer can send HTTP headers specifying that caching agents including the browser should cache them. The only kinds of URIs that should probably never be cached are POST URIs for obvious reasons.

Re:Separate the cache from the browser?

[andyh1978]

Ever load a URI which contains a "?"? They're uncacheable.

Not true. They are cacheable.

Re:Separate the cache from the browser?

[asuffield]

I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy.

If there's one thing that people should have learned from the last 10 years of end-user non-entertainment consumer computer products, it's this:

No significant numbers of people will buy your product unless it will save them money or they think they cannot live without it.

People will pay through the nose for entertainment stuff (games, etc), but for anything else, they will buy only what you can convince them is non-optional. The firewall and anti-virus companies have put a lot of effort into convincing people that they cannot live without these products. Microsoft work hard to make Windows and Office mandatory purchases.

Any "accelerator" of any kind is, by definition, optional - and consumers do not pay for the amount of bandwidth they use, so they do not benefit from improved caching. Such products are not successful in the marketplace; most consumers will just ignore them. A few manage to break-even and survive, but most die, and none turn a significant profit. Companies like Linksys are doubtless aware of this and don't waste their time on producing such things.

Note that this is specific to consumers - business users are entirely different. But business users rarely have a compelling need for caching web browsing unless they are very large - and so they won't be interested in turnkey solutions like this.

Re:Separate the cache from the browser?

[glens]

This was the best response to respond to...

If you're talking about the browser "history" "cache" (used for the back button; page print; etc.) then /everything/ should be so "cached". If, however, you're talking about just a cache, then dynamically-generated pages should never be cached since by their very nature they're ever new and require a fresh look whenever they're accessed.

Yes, you can make squid, et. al., go ahead and cache them anyway (it's awfully tempting sometimes when sites insist on going to a database-driven backend even for stuff that has not changed for some length of time). Idiotic sites (most usually running some version of whatever MS is currently calling their webserver software, it seems) which send multiple headers denying cacheability of page layout images and stuff almost require shenanigans with web cache configuration, but the best/easiest thing to do is ignore the sites and surf elsewhere.

Yes, one can cache anything, but that's a rather microsoftian way to do things. There are standards for a reason and when they get ignored, well, what's the point?

So, a URI with a "?" in it (which calls for the one base item along with environment variables; not making multiple GETs) should not be cached, even though it's technically possible to force it done.

Re:Separate the cache from the browser?

[zCyl]

It makes more sense to give a web browser write access only to a small part of the file system than to force an entirely separate device to have a hard drive, IMO.

That's a reasonably clever idea. It could be applied more generally too. A wide variety of user apps could be restricted to only have write access to specified directories. With judicious use of symbolic links, this could even be made painless for the user.

This is essentially already done with a lot of server software, by running it as a dedicated user. It would just be a generalization of this concept to specify directory restrictions for apps running as a single user.

Re:Separate the cache from the browser?

[glens]

Netcraft says the server we "speak" to is running on Lyenucks, nevertheless, go to http://www.linksys.com/products and when the page fully loads, select one of the product line links. Hit the back button, then the forward button. All's well. Then hit the back button and select the same link again so you can watch all the images get sent afresh from the server. Even if they didn't have a "Cache-Control: private" header (note the use of the MIME Content-Disposition header in an HTTP transaction!) they would not be cacheable due to being ever new.

I just don't get it. These outfits must have unlimited bandwidth to burn (and think I do too).

Re:Separate the cache from the browser?

[ptlis]

Note: I was the AC for that comment - I had thought I was logged in but evidently I was not.

Please note I explicitly said caching agents which includes caching proxys and your browser amongst other things, but even with respect to only the browser as you seem to have (mis)interpreted the thrust of my point and you're incorrect in your assertion that they should cache everything - browsers too must (and do in my experience, with a few fun bugs) follow the instructions in the headers with regards to caching. I kindly point you to RFC2616 (HTTP 1.1 spec) section 14.9 (Cache-Control):

The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain.

That is besides the point however, my point was that although GET requests can be used to generate dynamic content specific to the user this is very often not the case - for example most sites which have some form of news entrys will use get requests with some form of unique identifier to pull the article from the database and format it correctly. In this situation the developer of the application almost certainly wants the generated article cached in multiple stages to minimise load on the server (for example squid between the web and the application so that every time a person visits the page it does not need to be generated again, by the users ISP and by the users browser). Further, we all know that the contents of a URI in no way relate to what is actually happening server-side - tools such as mod_rewrite can be used to great effect and hide those pesky question marks, ampersands and verbose key and value pairs.

My point is this, as a skilled software engineer focused on web development I can make static pages look dynamic and dynamic pages look static trivially and so can anybody else - the URI was never intended to give any information about the resource it is identifying beyond it's location, it is misinterpretation and flawed analogys which give most people the impression that the URIs have intrinsic meaning; so making assumptions with regards to the cacheability of a resource based on it's URI if at best foolish (and hence isn't done). Instead implementation of (for example) the Vary field should be considered by the developer of 'dynamic' pages so that caching agents are aware that it is dynamic, and know which value in a request changes it and so can cache the variations of the page based on this.

Re:Separate the cache from the browser?

[glens]

Thank you for the reply. We're actually in agreement for the most part. My knowledge of the intricacies is obviously much more cursory than yours, and I thank you for stating so clearly and well-reasoned that to which I was alluding.

Intelligent (or at least not lazy) site operators have and do provide well-executed "experiences" in terms of caching proxy usage (which was more my thrust than the dual-mode cache employed by a browser). When I spend time at forum sites such as http://www.treebuzz.com/ it's a nice feature to have indication, say, of how many times an attachment has been fetched. It's also nice when the request does its thing with the database and eventually results in an "actual" item which is itself cacheable.

On the other end of the spectrum is (was, at least, until AMD took over and made some changes) ATI's web site. Everything was sent straight from the database with all manner of directives to not store the information. When on dialup (as I'm stuck where I live) and trying to improve things with squid this side of the modem it was completely maddening to follow links around their site.

I believe you'll find in the RFC you referenced a section on browser history mechanisms. I also touched on that briefly earlier. In it (a cache) everything must be saved during the session to provide an exact reproduction of that which was seen, if I understand it correctly.

Well, this has been fun...

No 2003? Someone can't read.

[flyingfsck]

From Secunia, the vulnerable versions are:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Re:No 2003? Someone can't read.

[ThinkFr33ly]

Windows 2003 comes with IE in "security enhanced" mode, which basically means that virtually everything (javascript, activex, etc.) is turned off for all but the built in trusted sites, of which there is only one by default: windowsupdate. So, with the default config, Windows 2003 is *not* affected.

In other words, the admin would have to go out of his or her way to make sure that Win2k3 Server was affected by this, not to mention the fact that they would have to browse the web on a freaking server, which usually doesn't make much sense to begin with.

Myths...

[EsbenMoseHansen]

Nice try :) Let me see you run a windows machine for developing for a month, no crashes, no reboots. Repeat this for month after month. Then let me see you install a windows machine through booting a CD (or DVD if you prefer), seeing everything works as expected, and then initiate the install. The install will automatically accomodate the existing OSs on the computer, and making dual booting between any number of OSs possible. After the install, let me then see you find and install a secure browser, 2 different spreadsheets, a 3D object editor and maybe 30 small games for those 10 minutes with nothing to do. Then let me see you get an overview over all the applications installed, and press a button to upgrade all those to their newest version. Your budget is.... let's be generous and say 30 Euro.

Windows is good for exactly one thing... playing certain games. And it's getting worse all the time (not due to linux, but due to the PSn or whatever those playing boxes are called).As I have lost much of my interest in playing that sort of games, I have never been happier with Linux, which is so much better for what I do... developing software.

Re:Myths...

[Richard_at_work]

I develop on Windows at work (XP Pro), and my system has an uptime into multiple months. So long as you arent a bigotted asshole, its not hard to accomplish.

Re:Myths...

"I develop on Windows at work (XP Pro), and my system has an uptime into multiple months. So long as you arent a bigotted asshole, its not hard to accomplish."

Actually, if you patch your machine at all, it's completely impossible. If you have installed IE7, which, as a developer, I assume you have, it's completely impossible.

It is possible to have a very long uptime on Windows, but not securely. Microsoft have greatly improved the need for reboots after patches and updates, but by no means eliminated it. Maybe Vista will be better. Maybe Vienna will.

You could say the same for linux, as a kernel update needs a reboot, but on a single user workstation, or a machine that doesnt give out shell accounts, that simply isn't necessary.

Simple fact is unixes dont need the same number of reboots, due to their architecture. However nothing, nothing, beats Novell Netware 3.

Re:Myths...

[EsbenMoseHansen]

I develop on Windows at work (XP Pro), and my system has an uptime into multiple months. So long as you arent a bigotted asshole, its not hard to accomplish.

Such nice language you have. Oh well. I have often met people who claim fantastical uptimes for their window boxes, but on inspection it is usually <1 week. Of course, you might be the exception, but then I did list a few more point for the grandparent to do to back up his claim on windows being more usable.

Have fun! Tomorrow I will (again) be working on a fully OS platform, and the only downside is the bits done in Java :)

Re:Myths...

I have often met people who claim fantastical uptimes for their window boxes, but on inspection it is usually [less than] 1 week.

Obviously, the world revolves around you.

The parent is most likly writing about corporate environments, not the computers of your dorm-mates.

Re:GO BACK TO ENGLISH CLASS, HOMO

You guys, you're all Borat, right? How do you say 'grammar asshat' in Kherzikistooi?

Here's the data on odds...

[Kamiza+Ikioi]

Yeah, I found the data here, just click to read all about the odds of visiting an exploiting site.

http://12.34.56.78/hacks/exploits/im/a/script/kidd ie/boom.html

It's C again.

[master_p]

Buffer overflow again? we programmers should run a petition for Microsoft to stop using C for their products :-).

On a more serious note, I am using Firefox and Thunderbird, so it is highly unlikely that I am affected by the vulnerability. Open source wins again!

Re:It's C again.

[ICA]

You've seen the source code for IE? You know how it is programmed? That is completely different from how Firefox is written?

Yes, I like Firefox very much also, and never use IE. However, your arguments are ignorant.

Re:It's C again.

we programmers should run a petition for Microsoft to stop making software :-).

Re:It's C again.

I'd like to see something like a 'C license' at Microsoft. Until you earn your license, you're stuck using toy languages like VB, C#, java, etc. Once you earn your license -- by proving that you create correct programming contructs more often than not -- you are free to use more powerful languages like C and Assembly.

Hopefully, that would ensure that applications which need the flexibility of a language with pointy ends get written by people who can direct the pointy ends away from themselves. And, of course, the rest of the applications would be so horribly written and use so much memory that Microsoft could continue to fuel the hardware industry.

Let me guess what's going to happen next.

[edxwelch]

There will be another browser vulnerability study published that compairs minor Firefox bugs with severe "allows code execution" vunerbilities in IE. This will allow IE users come to the smug conclusion that neither browser is more secure and feel good about using Microsoft products again.

layman's meaning of 0-day

[davidwr]

Technically, you are correct.

I think when most people read "0-day exploit" though, they mean exploits where no patch or easy/reasonable workaround is available at the time the bug becomes public knowledge.

transparent caching proxy

[HighBit]

I've got squid on linux on my router running a transparent caching proxy, so I've already got this.

Does it affect XP 64?

[Myria]

XP 64 is actually a non-server build of 2003 (NT 5.2), not XP (NT 5.1). I can't tell whether XP 64 is affected, because Microsoft just says this:

"Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker's Web site to be at risk. We will continue to investigate these public reports."

I'm on XP 64 SP1, equivalent to 2003 SP1.

Melissa

Re:Does it affect XP 64?

[cnettel]

I was wondering the same thing, but I think your quote makes it quite clear. The enhanced configuration is basically an IE which won't allow scripts, won't allow ActiveX and by consequence won't be affected. It's fully possible to turn off that protection in Windows 2003, and the default in XP64, being a client operating system, is the normal client settings. Hence, we would be vulnerable. OTOH, when you are running the 64-bit build of IE, I would suppose that the existing exploits won't work. As the stack layout is also different (in addition to the instruction set), it might be very hard/impossible to directly transfer this exploit to those systems. Of course, the 32-bit IE on 64-bit XP still seems just as vulnerable, then.

Re:Does it affect XP 64?

[Myria]

Oh, it's a buffer overflow? Yes, then I guess there's not much to worry about. No exploit author will bother targeting such a small percentage of people, especially when it's harder to do than Win32 with NX always enabled and table-based exception handlers.

There was a nasty exploit in 2004 with XMLHTTP that wasn't a buffer overflow - you could actually ask it to download and run an .exe file and it would >_

Melissa

Re:Does it affect XP 64?

I'm on XP 64 SP1, equivalent to 2003 SP1.

Melissa

Not on mine, just checked:
http://en.wikipedia.org/wiki/Melissa_worm

Use psexec to protect your system from your browse

[schwit1]

Use psexec to protect your system from your browser.
http://download.sysinternals.com/Files/PsExec.zip

C:\utl\psexec.exe -dl "C:\Program Files\firefox\firefox.exe"
or
C:\utl\psexec.exe -dl "C:\Program Files\Internet Explorer\iexplore.exe"

Re:any web site is a risk!

[Psykechan]

The site desn't have to be of ill repute in order to cause a risk. Remember the BOFRA/iFrame exploit? This was a case where ad server Falk AG was serving up ads to well known sites such as The Register and Comedy Central. You wouldn't hesitate to go to either of those sites most of the time.

The thing to keep in mind is that any page could be a risk and you must be security concious or face the consequences.

Re:sigh.

Sweet B&B reference. =]

Aonther one?

[kurt555gs]

No, really?

Tell me it isn't so.

And?

File this under the "yawn" category. Does anyone still use IE? Why? I mean, really, why? As a browser it's sucked for year compared to free alternatives.

Theoretically undecidable?

[TimFreeman]

Nothing can be perfectly "secure" (theoretically undecidable).

What do you mean there? Can you cite a reference for this?

If I think of the most obvious definition of "secure", then it's pretty clear to me that it might be possible to prove that a system built for the purpose of being secure is actually secure.

Perhaps what you meant to say is that it's theoretically undecidable to prove that an arbitrary system is secure, but that's not a problem we care about. Our systems aren't arbitrary. They're supposed to be constructed for a purpose.

Wait!

[crhylove]

There's still people using IE instead of Firefox?!? Serves them right then, dummies! Back of the class!

Re:sigh.

B&B? It was Churchill

Re:Use psexec to protect your system from your bro

[LinuxIsRetarded]

Or, better yet, just don't run as an administrator. It's rather unfortunate that the installer for XP creates an administrative user (in addition to "Administrator"), but it's quite easy to correct this and run as a standard user.

Silly claim based on limited experience

[dbIII]

IE 7 on Vista is, without a doubt, the most secure way to browse the web.

Perhaps given a sample size of two - the other of which is IE 6 on XP. There are a lot of web browsers out there, from lynx up, on a lot of platforms which do not fall victim to this or many other problems - mostly due to a lack of active-x which even a librarian warned me was a major mistake prior to its introduction. It is easier to point out a shortcoming in the Microsoft product than to advocate absolutely everything else.

What? Windows is insecure?!? Even with IE7?!?!?

[dotancohen]

And why is this news? Or is this a repost of what we've seen a hundred times before? Just once I'd like to see the headline "Windows declared safe to use for the next 24 hours".
http://lyricslist.com/lyrics/artist_albums/425/red _hot_chili_peppers.php

MSXML4 is NOT part of Windows

[terrz]

MSXML4 is NOT part of Windows, so the article is written by a troll MSXML4 is NOT part of Windows, so the article is written by a troll MSXML4 is NOT part of Windows, so the article is written by a troll MSXML4 is NOT part of Windows, so the article is written by a troll MSXML4 is NOT part of Windows, so the article is written by a troll

IE?

[trupoet]

People use IE still? weird

Re:XP Server Uptime

It's exactly thought-less posts like this that made me take the challenge...

I have an XP server being used as a torrent server: -
\\### has been up for: 433 day(s), 18 hour(s), 28 minute(s), 37 second(s)

It's being used extensibly throughout the year and for the majority, the cpu usage was up to 70-80%. Currently at 40-50%.

And, IE is banned on the machine :)