Slashdot Mirror
Hackers Jump On Newest IE7 Bug
CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."
Glad I'm using Lotus Notes. Hmm...
...when Microsoft stops bundling IE with Windows (depending on what happens with that anti-trust case in the EU). Does anyone know if that would also affect NA?
Obligatory blog plug: http://www.caseybanner.ca/
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
The new attack code, which Trend Micro dubbed "XML_Dloadr.a," arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched...
Running Chrome or Firefox won't stop idiots from opening strange attachments.
I'm assuming that they aren't actually hitting patched systems; just going after the (numerous) systems as yet unpatched, possibly with the aid of information inferred from analysis of the patch. If the patch itself, or patched systems, were getting exploited, it would be bigger news.
I know. I'm just thinking in terms of the botnet spread "factor", I think that will go down as more people start using firefox/more secure browsers, and that market share will go up when Microsoft stops bundling IE. Of course they are just going to get the OEMs to do it for them, maybe some OEMs will package Firefox, who knows.
Obligatory blog plug: http://www.caseybanner.ca/
I wonder, what would un-bundling REALLY mean? Just that its easier to remove or that Microsoft OS' come with no browser? Now that would be a fun one for new users...
Bored at work? Play Game!
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
a malicious file masquerading as a Microsoft Word document
I don't think this is the same definition that the rest of us use. In related news, a lizard was seen masquerading as a gecko.
I am TheRaven on Soylent News
"They invade our computers, and we fall back. They assimilate entire servers, and we fall back. Not again. The line must be drawn here! This far and no further! And I will make them pay for what they've done!" - Linus Torvald
So naturally, it begins again. What is it that allows these hackers to reverse Microsofts patches? Is there no format that would protect them? Perhaps a more open security policy? Imagine that mess?
You can "reverse" Microsoft patches. Use the tool to reverse the Windows configuration to a given date (in Accessories -> System Tools but I don't know the exact name of this app as I'm not using Windows on my home pc of course)
You're probably right, I failed to make that clear. From my understanding, Patch Tuesday allows hackers to see the old exploit and target unpatched systems. However, is there anyway for Microsoft to minimize the exposure of these patches?
Bored at work? Play Game!
Set the default viewer for msWord docs to the Word Viewer, make normal.dot read only, disable auto-opening of macros ..
... pretending to be helpful but surreptitiously twirling its moustache while doing nfaerious deeds to the computer and generally making life miserable for the user.... actually thinking about it - thats not too different from the real clippy.
Linux makes you smarter.
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
No. It will only stop the current exploits from being effective.
How would switching to FireFox help? So you can get a different brand of virus?
Patch and keep patching. That is the only safe bet.
Yes I am using Firefox right now.
exactly. this is precisely the reason that Apache has far more exploits published than IIS.
That will be true if all those people running windows using administrator accounts move over to running linux as root. Those running linux properly will still be pretty much unaffected.
So millions of web users are in danger because
a) IE is insecure and Microsoft evil
or
b) Because they did not apply a patch which has been recommended by Win update
Being on Slashdot, i get those two confused...
Is that multiple choice? , if so, I choose a and b as my answer.
Will it blow my version of OO when I try to open the WORD document?
I am glad to hear that it wont affect the REGISTRY on Slack.
I am so waiting for the malware that runs "FORMAT C: " or whatever
it is nowadays.
Have you seen how much trouble it is to write a Linux virus? There was an article up recently(I may be crazy, could have been a comment) about writing a Linux virus/worm/trojan. It had a number of caveats and required a great deal of luck. HOWEVER, I can imagine the typical Windows user migrating to Linux and as mentioned above, running as root. However, Ubuntu(and others of course) do not allow root access by default...might not be so bad.
Bored at work? Play Game!
Running Linux will.
Apparently not if you're using KDE or GNOME.
When it was run, this attachment would helpfully and quietly forward itself to everyone in your address book. A couple of days later, after cleaning up the smoking wreckage of the E-mail system, system administration would send out an E-mail suggesting that it's not a good idea to run programs from unknown sources.
This was on IBM VM/CMS, a notably not-Microsoft OS.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'm not an expert by any means; but I'd suspect that that is a hard problem. The security patch must, to fulfill its purpose, change the system from its vulnerable state to a nonvulnerable one. Tools for observing changes of state are common, well developed, and have loads of legitimate uses. Especially with all the use of VMs now, you pretty much have to assume that the hypothetical reverse engineer can see absolutely everything that happens to the system, step by step, if he feels like it.
Microsoft could, of course, add large numbers of irrelevant changes to every patch, as a sort of chaff, and use the various other obfuscation tricks; but I strongly suspect that that would do nothing good for the timeliness or quality of their patches.
However, is there anyway for Microsoft to minimize the exposure of these patches?
To do this effectively I imagine they'd have to hide the fact that they've updated the system or, at least, minimize their KB articles to say "Patch KB[insert number here] fixed an exploit".
Imagine though the lashback from this... we already know from recent articles how much people despise Microsoft for adding sneaky patches that install addons for Firefox. Sneaking in security updates without documentation and/or some sort of notice would further solidify some people's ideas of Microsoft's sheer level of evil and their obvious plot to take control of all of our PCs away from us.
If you think about it that way, this whole situation is pretty much a win/win for MS haters.
Viruses were made back in the single user day. Linux and MacOS even Newer Version of windows don't need Virus to do its damage. Worms that hack into the system and run and install separate process then war dial different IP Address do the trick just as well. The reason people still make viruses for windows is the fact they most people run with Administrator access and they are simple to program (And they think they are Hot stuff if they do), programming worms is still less glory but is more willing to effect a Linux Majority network infrastructure.
Just because Linux or MacOS or your favorite Unix doesn't have viruses they can still get hacked into especially if you poorly administrator or neglect them. The fact they they can get hacked into allows for such worms to operate. Heck a well neglected Unix box running a worm can also have an Auto Update feature to adjust for newly found security.
Being smug about security is the worse thing you can do.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Not all that much really. Easy enough to run a spambot with user privs. Any of the data you want to steal is in ~. If you last long enough without detection, you can grab the user's password with an X keylogger and start doing extra naughty stuff with root.
"Strangers have the best candy" -Me
I can't help but wonder then, just how bad the MS situation is(security) if they're so afraid of an open view in terms of security from the outside world. Imagine upstreaming patches for your Windows XP box, Debian/RHEL style?
Bored at work? Play Game!
There are fixes: .desktop files to be executable to launch them
1. Require
2. Ignore the Exec= line in user overrides
It's just a matter of someone contributing a suitable patch. It is not an architectural problem.
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
So a more diverse set of browsers in use leads to fewer people being exploited. Sounds like something worth encouraging. And while we're at it, how can we encourage vendors to make their browsers more secure and generally better. If only there were some way to motivate developers using common human motivations. I know, we could have them compete with each other on a level playing field in a fee market and the best browser will gain the most market share, so they will all work extra hard to make theirs the best. It's brilliant!
What the law already mandates this? Well, better yet. What one company is breaking the law and preventing competition and thus removing the motivation for much improvement and lowering the bar for everyone? Surely the courts will act quickly and decisively to stop this criminal behavior.
So you are suggesting that a significant flaw in Linux has lasted so long, even though it is "just a matter of someone contributing a suitable patch"? Hardly a good arguement.
Pointing out there are possible fixes doesn't absolve it from blame.
virii
If that's an attempt at Latin, it failed. In Latin, virus is in the fourth declension and its plural is virus (yep, just like the singular), and NOT viri or virii.
Of course, as an English word, the plural of virus is viruses.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Yes, and this is really the main valid argument against technological monocultures. Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now. But as long as there isn't a browser gobbling up 90% of the installed user base, the number of available targets is substantially reduced. The black hats rely on the sheer weight of numbers to succeed, and let's face it, exploits are written for profit now, not to prove something or because it's cool. Shrink the target pool and you'll minimize the amount of damage done to the targets and everyone sharing the same tubes.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
The key word here is "published". This is, because Apache has an open bug tracker. And IIS has -- I guess from the quality ;) -- no bug tracker at all.
But Apache fixes its bugs quickly, or even at all, compared to ISS.
Well, I guess to get some useful numbers, one would have to count the numbers of actually used exploits.
But then again, writing it anonymously most likely means that you are a troll...
Any sufficiently advanced intelligence is indistinguishable from stupidity.
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I can't help but wonder then, just how bad the MS situation is(security) if they're so afraid of an open view in terms of security from the outside world.
I think currently they have a fairly open view to the outside world, post-patch anyways. Releasing information regarding the vulnerability pre-fix wouldn't be a good thing. I was just commenting that they COULD hide information about the security patches to prevent would-be-hackers from learning about an exploit and targeting un-patched systems. I don't really think thats the best action to take though.
It is Microsoft's fault in the first place for writing the software and the underlying architecture in such a way that allows these types of exploits. However, if they release a fix and some people don't get them because automatic updates is turned off (for whatever reason) then that is an end-user problem. It is these systems that are under the most threat and the threat, at that point, can't be ended by Microsoft.
then teach the user to only give pw to
A)Stuff that looks like gksu (you don't even need to explain what that is, just what it looks like)
B)If something speaks of "Updates", direct it to the Update manager, and ignore ~all else
C)If the User is stupid anyway, no system will ever be secure enough except one that does not give this person the ability to act as root in the first place, which means using a Mac, which I will never do because it is too user-obsequious
$ make available
I'll take C - Regis,
final answer.
WTF? Over?
Of course, you can always execute unsigned, untrusted code by downloading Firefox extensions on the Mozilla site.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
There's always the matter of a no-password "sudo" setup.
Do any linux distros come set up for this by default? How long until they do?
My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
And in all likelihood be far less significant, as the browser in question wouldn't be so damn tightly integrated into the OS.
upon the advice of my lawyer, i have no sig at this time
Why wouldn't the open source nature of some browsers (and some OSs) mean that it's just a matter of time before someone finds the flaws and fixes them?
Why is it always the doomsdayers and naysayers?
Aren't there far more do-gooders than do-badders?
cheers,
Yes, but linux will also stop them from opening not-so-strange attachments, unfortunately.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
That's because you have to step through the 9 levels of dependency hell in order to run anything on Linux.
This could be done with Windows. Teach the users not to click "Continue" on UAC prompts unless they know what they're doing.
The problem has been, is, and always will be the users. They want their shiny "asteroid cursors" and their "desktop playmates" and they're going to get them, along with whatever crap comes along with it.
No, it was kind of garbled. I did learn that it was a bad idea to run applications that came as Email attachments though...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I just don't believe that's true. Some code is inherently more secure. UNIX is generally more secure than Windows. People like to say (for example) that the reason Mac OS has few trojans, and no real viruses to date (that I am aware of) is because of its market share. You'd have to be exceptionally naive to believe that among the legions of Apple hating Microsofties that no one has been able to create a successful virus yet. I'm certain it has absolutely nothing to do with the inherent security of UNIX - Nope that's not possible. has to be market share. :)
I have no proof to back this up, but there is also zero proof to back up the market share theory.
I still cannot find the droids I am looking for...
This is exactly why I use Lynx. The ASCII porn is getting a bit old, though.
Let me fix that for you...
Er wait, scratch that last part. I get carried away talking in this deep voice.
I want this account deleted.
Pointing out there are possible fixes doesn't absolve it from blame.
No, it doesn't, and that is one of the major problems with FOSS: devs tend to avoid disturbing the ecosystem as much as possible, even when doing so is a good idea. If this was run in a traditional (read:closed-source) setting and IT heard that it would take the flip of a few bits to get rid of a major security vulnerability, how long would the bug live?
I know some idiot mod will mark this as a troll because it is critical of FOSS. Really people, let's at least pretend to be civilized, please.
$ make available
...and I won't run it, nor will any of my users....
Update my system .. ok I just go in the package manager ... no updates .. oh well
Social engineering works both ways, If you make sure you never, ever, send updates via email then the users notice it's unexpected and ask first ... Too many Windows systems are updated by users clicking on links in/attachments to emails ... and far too many websites give download and run links for Windows systems so that the users expect it to work like that
Linux does not make hijacking and exploits impossible, or even that difficult... but it does make it inherently less likely that the simple ones will succeed (don't run as admin, make it painful to run downloaded files, update via package manager not by running a program/script)
Puteulanus fenestra mortis
I'm surpised you missed the most glaring grammatical blunder in the comment: prevolent, which, of course, should be prevalent
Once all those Windows users start migrating to Linux because it's safer, do you think they'll suddenly be infused with large doses of simple common sense? apt-get install effin-common-sense-0.2.3 or something like that? =)
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it.
Trojans are a serious concern, but still a small portion of the problem today. Most exploits, by number of infections, are via automated worms with no user interaction.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS.
The interesting thing about non-Windows OS's is they adapt to threats. Right now trojans are not a problem for the average Linux user, but in a few high security environments they are a concern. Those environments use technologies like SELinux to mitigate the risks and make social engineering a lot harder indeed. If trojans are ever a threat to the average Linux user, these technologies will be ubiquitously employed helping to defeat said threat. That's the thing about not being a monopolist. You have serious motivation to fix your users problems and if you don't someone else will.
Neither you nor your data are the target.
This has never been completely true, but it is becoming less and less so. More malware is starting to collect passwords to online accounts, banking info, and credit card numbers.
Root access or not doesn't really matter if a virus wants to cause harm or spread itself, all the users data happens to be user accessible and his favorite email app and webstuff of course too. But even if that isn't enough, it wouldn't be to hard for a virus to fake a password prompt to catch the password or just to wait for the user to use sudo and then use it himself, since sudo is often used with a timeout that gives the user full root access without a password for a couple of minutes or even forever.
On normal single-user desktop the separation of root and user account is nothing more then a little annoyance then a real barrier for a virus writer.
Now that doesn't mean that one can't build a secure Linux box, Sugar on the OLPC tries something like that with each application running in its own isolated environment which would make it pretty hard to break out of, but your average Ubuntu box doesn't do that and likely won't until viruses become a real problem for Linux.
But what about those of us who are callous (lazy) enough to run as root 24/7 ? We're just not naive enough to run foreign attachments from people we don't know (or don't trust).
Sure, make things nerf-safe for the common user, but don't go bashing those of us who actually run these machines.
-Billco, Fnarg.com
It would mean the user has to stop and wait for an automated download and install process to run their programs for the first time. In order to maintain compatibility with existing software IE must be installed.
Ask the Wine community why they are implementing an IE replacement in Wine. Many programs depend on having IE and its API around to render HTML documents. Steam and WoW are two such titles for those who don't think its significant or wide spread.
The alternative is to have broken applications.
I want this account deleted.
Stupid people (sorry, inexperienced people) running [Another OS/Another Browser] will do the same stupid (sorry, inexperienced) things they do now.
I'd go further in my argument than you do. Without a monoculture users may take the same action in the same circumstances, but will gravitate to technology that presents them with better situations and better handles those actions (makes them do what the user intended not what a third party wants). For example, this exploit relies upon an executable masquerading as an MSWord file. The fact that Windows presents the file in such a way as it is not differentiated from a Word file or even from trusted executable files is a failing of the OS. In a competitive market, MS would fix this problem in Windows or lose market share to people who did fix it. Is there no way the OS can distinguish executables from non executables, like maybe adding a non-changeable flag to the icons? What about checking to see if the executable is signed and verifying that signature or running it in a sandbox by default? These are perfectly doable solutions if competition were driving OS makers to significantly invest in real improvements.
I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it.
(emphasis added)
Sure - and I can wipe your home directory with this little script and ask you to run it:
#!/bin/sh
rm -rf $HOME/*
exit 0
Most folks that get hold of Linux and install it are probably going to be smart enough to open an e-mailed media file with a media player, and won't touch anything they don't know the extension to. Now there you might be able to do some damage (if you manage to modify the player or find an exploitable hole in it), but otherwise c'mon - this is getting stupid.
Quo usque tandem abutere, Nimbus, patientia nostra?
But what about those of us who are callous (lazy) enough to run as root 24/7 ? We're just not naive enough to run foreign attachments from people we don't know (or don't trust).
Sure, make things nerf-safe for the common user, but don't go bashing those of us who actually run these machines.
Tell me about it.
I got rid of my front door a few weeks ago as I was sick of trying to find my keys. I can live with all the thefts and waking up to find the odd vagrant crashed out on my sofa, but it's the people that bash on me about it that pisses me off.
Hey! I remember that! (shit, I'm old)
Running Linux will.
Never underestimate the compatibility of Wine.
I wonder, what would un-bundling REALLY mean? Just that its easier to remove or that Microsoft OS' come with no browser?
Well, literally it would mean Windows ships without IE to OEMs. That's not to say that this is the remedy the EU will choose. It is just one of their options and by itself, certainly not enough to remedy the broken market.
Now that would be a fun one for new users...
The EU's remedies will likely affect only MS, not OEMs. If you're technical enough that you're building a computer and installing Windows yourself, you're probably technical enough to download and install a browser too. If you're a normal person you buy a computer with software, OS, and hardware pre-configured by an OEM and you'll almost certainly already have a browser installed by the OEM... maybe just not IE.
The only exploit is the user herself. Just don't open attachments from people you don't know.
Viruses have already become more clever then that long ago, From headers have zero trust value and are constantly faked and using titles from documents found on a users disks have replaced non-trustworthy gibberish. So getting mail from a friend with trustworthy subject tells you little to nothing.
This really isn't something you can fix socially, if you could we would have already solved it. Its just a technical problem that needs fixing, a mail program should just run attachment in a chroot/jail/vm-like environment and the problem pretty much disappears.
It would mean the user has to stop and wait for an automated download and install process to run their programs for the first time. In order to maintain compatibility with existing software IE must be installed.
I think you're missing the point of how bundling is perceived by the law. If MS installed software to auto-download IE, that would still be illegal. OEMs aren't going to ship without a browser or HTML engine though, so the normal user would not likely see much difference excepting which browser and HTM engine is pre-installed. Any remedy from the EU is going to be intended to change the situation MS has created where IE is required, or it has failed. The point is to restore the market to a state where IE is competing on its merits, not on the fact that it is a de facto standard or pre-installed. That includes providing incentive for both Web developers and application developers to no longer depend upon IE being there but to write for standards instead and use whatever is there.
Ask the Wine community why they are implementing an IE replacement in Wine. Many programs depend on having IE and its API around to render HTML documents.
Actually, they depend upon an HTML engine answering their calls to the APIs. It is entirely possible for the EU to require MS to abstract those APIs and allow plug-in HTML engines to respond. The EU could require this in all future versions of MS along with some degree of standards compliance from IE itself.
Steam and WoW are two such titles for those who don't think its significant or wide spread.
One test of a proper remedy might be Steam and WoW. When updating their applications to use the next versions of Windows/IE, is there anything that causes users to use IE specifically, instead of Opera, Firefox, or Chrome? Is their anything about the way those developers code the next versions that would lead users to install IE specifically not because of better features but because it has been the de facto standard so long and because it is made by MS? If so, the remedy is failing.
The alternative is to have broken applications.
Hopefully, the EU will implement a remedy that specifically prevents that from being the case going forward.
Hackers exploit already patched code! Security vendors come up with detection routine to protect from exploits targetting at already patched code. Sysadmins everywhere say to themselves, "I'm sure glad I applied that patch last week." Life goes on.
Most folks that get hold of Linux and install it are probably going to be smart enough to open an e-mailed media file with a media player, and won't touch anything they don't know the extension to.
Last I checked, Linux let programs running under my account read personal data stored under my account and then send it to random computers on the internet.
Sure, it might have more trouble insinuating itself into the kernel and being nigh-undetectable, but if you don't have software that looks for it, there's plenty of damage it can do. My biggest worry is about data I have access to when logged in as my normal user account.
>Running Chrome or Firefox won't stop idiots from opening strange attachments.
False.
An idiot user will not know how to chmod +x a strange file, so your logic falls flat.
And there's plenty of Linux users happy to run with whatever is available in the Ubuntu repository, that they don't mind being "locked out" of desktop changes.
Contrast this with the Windows desktop user who will bitterly complain about not being able to open the Windows Clock on the taskbar, just to check dates on a calendar [a step which requires admin privs.], and that user will be instructed to just run as Administrator.
Those of you out there who get designated "family tech support"... you know EXACTLY what I mean. Those people will call you because they installed malware, OR they will call you because (after last time...) you gave them a "rights limited" account, and now they can't install some shitty piece of shareware (even though you typed notes on how they could 'Switch User' over to Admin just to install apps).
Running OpenOffice will stop the macro from accessing IE, though. MS Office isn't even bundled with most XP anymore. It wasn't on mine, anyway.
It's annoying that I can open everyone's files, but I need to export to a buggy format for others to open mine. But this news item proves it's worth it.
Yes, finding all those dependencies is so difficult!
emerge app
apt-get app
yum install app
Password-protect your sensible data.
No but it has been consistently shown that FF users keep their browsers up to date much sooner. Case in point : the huge number of IE6 users compared to FF 1.5 users out there. Even within major revisions, the less painfull FF upgrade system keeps the vast majority of people on the latest minor update or patch. Many IE users disable auto-updates because they're seen as an annoyance (asking themselves "why do I have to reboot simply to upgrade my web browser ?").
I'm not sure it's possible to paint all of FOSS, or all of closed source devs with such a wide brush. You do have some projects that are extremely risk and innovation averse, a classic example being GNOME, while others on the contrary have no problems starting everything from scratch like KDE has done. Similarly, you have Apple, the constant innovator, willing to dump legacy code to move forward, and MS, where their commitment to binary compability is limiting their progress.
Each strategy has its advantages and disadvantages of course. For some projects it does make sense to do your utmost not to disturb the ecosystem.
Dear Sir,
I am writing in reference to the "Chinese Exploit Kits" you mentioned on the Slash Dot on 18 February. Please inform me if you have further information on availability of these kits.
I would also be interested in subscribing to your newsletter.
Sincerely,
TheModelEskimo
Wasn't this also the time of the naive internet ? When all smtp traffic was on port 25 with forwarding enabled ? Before AOL and the dark times ...
Sigh... I was going to post a quick rant about using the term "Hacker" when obviously "Cracker" or "Black Hat Hacker" would be better....but ohhhh what the hell... I give up.
You're a tinkerer, craftsman, hobbyist, inventor, recreational electrician, etc etc. There was a point at which men stopped using a certain word to describe an elated mood too. "Hacker" been redefined. "Bad" means "good", "hawt" is the new hotness replacing "cool", a hogshead is no longer a unit of measurement, and mail(le) is no longer chain link armor, but instead a common word for post.
C)If the User is stupid anyway, no system will ever be secure enough except one that does not give this person the ability to act as root in the first place, which means using a Mac, which I will never do because it is too user-obsequious
User-obsequious? You mean, the computer does what the user wants it do? My heavens, that's terrible! If the people start using Macs, they won't have a use for that condescending bearded guy that hangs out in the server room all day!
PS I'd never describe a Mac as "obsequious," they are far too haughty for that.
(-1, Raw and Uncut is the only way to read)
Sigh... I was going to post a quick rant about using the term "Hacker" when obviously "Cracker" or "Black Hat Hacker" would be better....but ohhhh what the hell... I give up.
I've been doing computer stuff ("hacking") since the mid-1970s and consider myself a "Hacker"...but not in the bad way.
maybe I should turn to the dark side and just get it over with.
And I was going to post a rant on the History Channel about when "Barbarian" used to be an offensive racial slur against the good people of northern Europe.
Wrong! Try to compile VirtualBox on Ubuntu.
I'm not new here, but seriously: since when is Slashdot a completely clueless news source that confuses crackers with hackers?
Hackers are the good guys who, you know, hack away on free software.
Crackers are the bad guys who think they're cool because they know enough to get around security holes and whatnot.
Fire Fox has it's own Zero Day attack
I got nailed with the XP Police 'anti-virus' by navigating to a url via FireFox. No additional clicking, no user-error, no accepting/running/allowing anything out of the ordinary. Simply watched page load then was infected.
I went back to the page in question with IE 8 and it wasn't vulnerable to whatever attacked FF 3.06.
The browser religion war is over and we've all lost to shoddy programming. You can always attempt to hide in the latest obscure OS/browser, but at some point you will be caught by someoneelses mistakes.
-Malakai
A Dragon Lives in my Garage
Tried that, I had a problem -
apt-get install effin-common-sense-0.2.3
Sorry, but the following packages have unmet dependencies:
effin-common-sense: Depends: brain-2-1.0 but it is not going to be installed
Depends: intelligence (>= moron) but it is not going to be installed
I think the problem is I installed unstable brain so that I could make use fetish-69-99.0
BM3
Well yeah, back then you didn't have to fear the act of just opening your E-Mail either, since mail was text based and didn't execute random shit or send you off to random sites on the Internet for graphics or web bugs. This exploit actually required the user to save and run the attachment. It was also (usually) decent enough to not delete all your files in the process of forwarding itself to other users.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
No, thats not how it works. In a modern development environment, the developers would pop the dialog box that would show all their installed and registered components... the dev goes down the list, and go "Hmm...Adobe PDF renderer...nope... Gecko? Hmm...no... IE Control...bingo!". If they (and they most likely were) using something a little less "drag and drop", they had to make a conscious decision to pick and load an instance of that particular COM control. Its pretty god damn likely that the Steam and WoW developers had access to alternate browsers (Is there really anyone in IT who doesnt at least have some form of alternative browser installed?), so if Firefox's installer doesn't register and expose the rendering engine in an easily discoverable and consumable method, thats their loss...
Now the first thing that came to my mind when I was typing the above at first was "Well, maybe the Steam/WoW team figured it would be one less dependency", but really, these engines are a couple of megs at most, if that, and modern installer toolkits (like InstallShield) will pick it up automatically either way... so really, it HAD to be a conscious decision, and the availability of the rendering engine was probably not the first reason, considering the date those software were first created.
The IE COM component is just dead easy to use. The gecko rendering engine API blows balls.
1. Require .desktop files to be executable to launch them
In addition, make the desktop environment not execute .desktop files under /home, and/or mount /home with noexec.
If a user wants a launcher icon on their desktop, enforce that the icon is actually symlink to the real .desktop file under /usr/share/applications. (Can be done while hiding the mechanics from the UI trivially.)
Not that you'd ever want to do it like this anyway unless you were patching it yourself (you'd just get the binaries from the package manager) but:
If anyone still believes that dependency hell is a problem in modern Linux distributions, I advise them to look at the third line of what I did above and be disillusioned; nothing about what I did apart from the filenames depends in any way on VirtualBox, I could have used any other package instead. (This particular technique only works for .DEBs, but both RPMs and portage are equally capable of solving the problem in their own ways, and I suspect most other Linux package managers can too.)
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
The default configuration of windows stinks. It is a technical problem, but it stems from many decisions to favor backwards compatibility, not from the capabilities of the operating system (well, post NT anyway).
The end result is that it is more attractive to exploit a windows box, as it will probably be easier, and the box will expose more resources once it has been exploited.
Nerd rage is the funniest rage.
The underlying problem is that good security sucks for desktop use.
Fixed that for you.
I know tobacco is bad for you, so I smoke weed with crack.