Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Zero-Day Vulnerability In Windows

Posted by ryuzaki0 on from the worst-day-of-the-week dept.

Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."

15 of 231 comments (clear)

  1. Just curious by realmolo · · Score: 2, Insightful

    Seems there is always a new "zero day" exploit for Windows. Most times, the exploit can be activated simply by visiting a webpage that has been crafted to take advantage of it.

    Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

    1. Re:Just curious by Opportunist · · Score: 2, Insightful

      The odds depend entirely on you.

      The attack vector is a link to the bogus page. Now, how do you get a link to a user and make him click? Usually this is done either by email (click here for big boobs or fat cash) or on a webpage (same).

      In the meantime, you can also have it on a banner, where the one wanting to infect you buys ad space on a ... let's say less prestigious page of our beloved web. Usually also pages that promise big boobs, fat cash or free software.

      Well, technically, you get free software...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Just curious by whitehatlurker · · Score: 2, Funny

      I've been clicking on your link for big boobs, and nothing is happening. What's going on here?

      --
      .. paranoid crackpot leftover from the days of Amiga.
  2. Darn by blantonl · · Score: 2, Funny

    I've been looking at porn all night.. it is saturday you now!.... jeeze.. I better start scanning my machine now (or stop looking at porn) .... (or reload my machine).

    --
    Lindsay Blanton
    RadioReference.com
  3. "Trusted" Websites by TheStonepedo · · Score: 2, Insightful

    For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree. There are settings in IE which decide which goodies [javascript, (un)signed activex controls, etc.) can be run from which websites. When installing Server 2003, just about everything is out-of-bounds in the default IE. If Microsoft would advocate such tight controls by default on all Windows distributions, or even publish its own list of trusted 3rd-party sites, risks could be reduced. The malicious folks who take advantage of zero day exploits tend to be in the seedier parts of the tubes anyway.

    --
    I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
    1. Re:"Trusted" Websites by 0racle · · Score: 2, Insightful

      And if MS published such a whitelist so many of Slashdots readers would get up in arms about leveraging their monopoly and various other terms they don't really understand. That said, it really isn't Microsofts place or duty to police the internet and say what is and is not safe.

      --
      "I use a Mac because I'm just better than you are."
  4. Re:Seriously, Is Firefox susceptible to this too? by Shados · · Score: 5, Informative

    Yes and no. This flaw is specific to XMLHTTP, which is kind of developed independantly. You also can use XMLHTTP without using IE at all, thats why I say its independant. Its probably a buffer overflow, and not much to do about it in this case. So yes IE7 has a flaw, but there really isn't anything they could do in the current context. -HOWEVER-, while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing. The sandboxed IE7 is on Vista only, and I'm pretty damn sure this vulnerability is not an issue there. Anyway, so its more semantic here, but you could say "yes, IE7 has a vulnerability". however, its a little bit like if there was a vulnerability in KDELIB across the board...obviously that would touch Konqueror, no matter how secure Konquerer itself is... Can't excuse that one though. IE7 on XP is far, far from secure. More secure, but not secure.

  5. Re:sigh. by uhlume · · Score: 2, Funny

    You're right. This is the sort of English up with which we should not put.

    --
    SIERRA TANGO FOXTROT UNIFORM
  6. Re:Seriously, Is Firefox susceptible to this too? by uhlume · · Score: 2, Informative

    Only by virtue of Microsoft's attempt to provide backward compatability for AJAX sites developed for older versions of IE.

    Prior to IE7, the XMLHTTP object, used to retrieve data from external sources without full-page reloads, was provided by an external ActiveX control. With IE7, Microsoft has implemented XMLHTTP natively in-browser, rendering the ActiveX control unneccesary -- however, it's still possible for older sites which haven't yet been rewritten to take advantage of native XMLHTTP support to load the ActiveX version.

    The good news is, if you don't mind breaking the many AJAX-reliant sites which still use the old-style XMLHTTP object, you can disable it completely through IE7's (and IE6SP2's) Add-on management.

    --
    SIERRA TANGO FOXTROT UNIFORM
  7. That's what they get by jrmiller84 · · Score: 2, Funny

    Internet Explorer 6/7
    Well that's what they get for not updating and running Internet Explorer 6/7! It's not even version 1.0!

    --
    I will forever be a student.
  8. Your vs You're by idonthack · · Score: 3, Funny
    Your screwed.
    What about my screwed?
    --
    Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
  9. Separate the cache from the browser? by Kadin2048 · · Score: 2, Interesting

    Actually, it might make sense to take the caching functions out of the web browser, maybe even out of client machines entirely, in favor of network appliances. That would allow you to have very secure, locked-down browsers, while still doing caching.

    I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy. I suppose it's because it would be too hard to explain to a lot of people (the kind of people who don't grok the difference between a web browser and "the Internet" to begin with) and require setup on the client machines that would incur too many support questions.

    But if you look at the setup of most people's home networks, you have a relatively slow backhaul, usually only a few megabits, with a very fast and barely utilized internal network (generally at least 10-11 Mb/s, often faster).

    It would make a certain amount of sense to do all the caching in a single location, at the router, and then have all the clients pull from that. Then you could access the internet from lightweight devices that didn't have any onboard storage. Plus you could probably set up some way to save the browser state between devices (like Google Browser Sync), but without transmitting any information out of the house.

    By separating out the functions that require write access to a file system from the browser, you could run the browser without any privileges, but still get caching. The cache device would just save files based on when and how frequently they were accessed, without looking at them, so it would also be secure. No process would be both executing instructions in the content, and have write access to a filesystem.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  10. Re:The best solution by Zwaxy · · Score: 2, Insightful

    > You are severely exaggerating.

    He isn't. He said that the most certain way of avoiding vulnerabilities is not to be connected to the 'net. That's true, right?

    You said:

    > The computer I had before my current laptop got incredibly bogged down with
    > viruses that entered the system through a variety of means.
    > Eventually I found it to be unusable, and switched it to Linux.

    and then went on to say:

    > Let me reiterate that I have never had a problem with viruses.

    Sounds to me like you have had a problem with viruses; so much so that you found they made your computer unusable.

  11. No 2003? Someone can't read. by flyingfsck · · Score: 3, Informative

    From Secunia, the vulnerable versions are:
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Datacenter Server
    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows Server 2003 Datacenter Edition
    Microsoft Windows Server 2003 Enterprise Edition
    Microsoft Windows Server 2003 Standard Edition
    Microsoft Windows Server 2003 Web Edition
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Professional

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  12. Re:The best solution by Jaseoldboss · · Score: 2, Insightful
    No, this problem only affects computers with browsers that support ActiveX. That's why W2K3 isn't affected because IE is configured to be virtually "text only"

    Have you seen the 'mitigating factors from the MS advisory? They're hilarious:

    In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

    Ahh, easy. Don't click links on the web then.

    An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    That's good, the first thing Aunt Nelly does with her new PC is set up a LUA account.

    The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

    Put malicious sites in the Restricted Zone first, good advice - can we have a list of them please? Before anyone suggests turning off Active Scripting, that causes IE to display a warning message box every time you visit a site with Flash, making it unusable.

    A much better mitigating factor would be that over 10% of users can't run ActiveX because they are using Firefox or Linux.