Slashdot Mirror
Hackers Jump On Newest IE7 Bug
CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."
Glad I'm using Lotus Notes. Hmm...
...when Microsoft stops bundling IE with Windows (depending on what happens with that anti-trust case in the EU). Does anyone know if that would also affect NA?
Obligatory blog plug: http://www.caseybanner.ca/
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
The new attack code, which Trend Micro dubbed "XML_Dloadr.a," arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched...
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
a malicious file masquerading as a Microsoft Word document
I don't think this is the same definition that the rest of us use. In related news, a lizard was seen masquerading as a gecko.
I am TheRaven on Soylent News
"They invade our computers, and we fall back. They assimilate entire servers, and we fall back. Not again. The line must be drawn here! This far and no further! And I will make them pay for what they've done!" - Linus Torvald
Running Chrome or Firefox won't stop idiots from opening strange attachments.
Running Linux will.
No. It will only stop the current exploits from being effective.
That will be true if all those people running windows using administrator accounts move over to running linux as root. Those running linux properly will still be pretty much unaffected.
Will it blow my version of OO when I try to open the WORD document?
I am glad to hear that it wont affect the REGISTRY on Slack.
I am so waiting for the malware that runs "FORMAT C: " or whatever
it is nowadays.
Have you seen how much trouble it is to write a Linux virus? There was an article up recently(I may be crazy, could have been a comment) about writing a Linux virus/worm/trojan. It had a number of caveats and required a great deal of luck. HOWEVER, I can imagine the typical Windows user migrating to Linux and as mentioned above, running as root. However, Ubuntu(and others of course) do not allow root access by default...might not be so bad.
Bored at work? Play Game!
Running Linux will.
Apparently not if you're using KDE or GNOME.
When it was run, this attachment would helpfully and quietly forward itself to everyone in your address book. A couple of days later, after cleaning up the smoking wreckage of the E-mail system, system administration would send out an E-mail suggesting that it's not a good idea to run programs from unknown sources.
This was on IBM VM/CMS, a notably not-Microsoft OS.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'm not an expert by any means; but I'd suspect that that is a hard problem. The security patch must, to fulfill its purpose, change the system from its vulnerable state to a nonvulnerable one. Tools for observing changes of state are common, well developed, and have loads of legitimate uses. Especially with all the use of VMs now, you pretty much have to assume that the hypothetical reverse engineer can see absolutely everything that happens to the system, step by step, if he feels like it.
Microsoft could, of course, add large numbers of irrelevant changes to every patch, as a sort of chaff, and use the various other obfuscation tricks; but I strongly suspect that that would do nothing good for the timeliness or quality of their patches.
Not all that much really. Easy enough to run a spambot with user privs. Any of the data you want to steal is in ~. If you last long enough without detection, you can grab the user's password with an X keylogger and start doing extra naughty stuff with root.
"Strangers have the best candy" -Me
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
So a more diverse set of browsers in use leads to fewer people being exploited. Sounds like something worth encouraging. And while we're at it, how can we encourage vendors to make their browsers more secure and generally better. If only there were some way to motivate developers using common human motivations. I know, we could have them compete with each other on a level playing field in a fee market and the best browser will gain the most market share, so they will all work extra hard to make theirs the best. It's brilliant!
What the law already mandates this? Well, better yet. What one company is breaking the law and preventing competition and thus removing the motivation for much improvement and lowering the bar for everyone? Surely the courts will act quickly and decisively to stop this criminal behavior.
virii
If that's an attempt at Latin, it failed. In Latin, virus is in the fourth declension and its plural is virus (yep, just like the singular), and NOT viri or virii.
Of course, as an English word, the plural of virus is viruses.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
There's always the matter of a no-password "sudo" setup.
Do any linux distros come set up for this by default? How long until they do?
My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
Pointing out there are possible fixes doesn't absolve it from blame.
No, it doesn't, and that is one of the major problems with FOSS: devs tend to avoid disturbing the ecosystem as much as possible, even when doing so is a good idea. If this was run in a traditional (read:closed-source) setting and IT heard that it would take the flip of a few bits to get rid of a major security vulnerability, how long would the bug live?
I know some idiot mod will mark this as a troll because it is critical of FOSS. Really people, let's at least pretend to be civilized, please.
$ make available
...and I won't run it, nor will any of my users....
Update my system .. ok I just go in the package manager ... no updates .. oh well
Social engineering works both ways, If you make sure you never, ever, send updates via email then the users notice it's unexpected and ask first ... Too many Windows systems are updated by users clicking on links in/attachments to emails ... and far too many websites give download and run links for Windows systems so that the users expect it to work like that
Linux does not make hijacking and exploits impossible, or even that difficult... but it does make it inherently less likely that the simple ones will succeed (don't run as admin, make it painful to run downloaded files, update via package manager not by running a program/script)
Puteulanus fenestra mortis
Once all those Windows users start migrating to Linux because it's safer, do you think they'll suddenly be infused with large doses of simple common sense? apt-get install effin-common-sense-0.2.3 or something like that? =)
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it.
Trojans are a serious concern, but still a small portion of the problem today. Most exploits, by number of infections, are via automated worms with no user interaction.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS.
The interesting thing about non-Windows OS's is they adapt to threats. Right now trojans are not a problem for the average Linux user, but in a few high security environments they are a concern. Those environments use technologies like SELinux to mitigate the risks and make social engineering a lot harder indeed. If trojans are ever a threat to the average Linux user, these technologies will be ubiquitously employed helping to defeat said threat. That's the thing about not being a monopolist. You have serious motivation to fix your users problems and if you don't someone else will.
Neither you nor your data are the target.
This has never been completely true, but it is becoming less and less so. More malware is starting to collect passwords to online accounts, banking info, and credit card numbers.
But what about those of us who are callous (lazy) enough to run as root 24/7 ? We're just not naive enough to run foreign attachments from people we don't know (or don't trust).
Sure, make things nerf-safe for the common user, but don't go bashing those of us who actually run these machines.
Tell me about it.
I got rid of my front door a few weeks ago as I was sick of trying to find my keys. I can live with all the thefts and waking up to find the odd vagrant crashed out on my sofa, but it's the people that bash on me about it that pisses me off.