Slashdot Mirror
Microsoft Warns of New Video ActiveX Vulnerability
ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."
Once again the problem here is too tight integration with other part's of the OS. Yeah, IE is the most used browser and as such a major target for exploits, but some separation from other parts of OS wouldn't do any harm. Or atleast make it optional to use such; You won't be automatically affected by Flash or PDF exploits if you choosed not to install those. Just another reason to use alternate browsers like Opera or Firefox, seeing it only affects IE users.
That being said, you dont need admin priviledges for some malware to do its job, botnets and such easily run within user priviledges aswell. Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it.
The fun thing is, there always seem to come exploits for IE and Firefox. Very rarely for Opera. That makes me think they've made some good fundamental decisions on design and programming and know how to secure code from exploits, specially because they have major marketshare (better than IE actually) in CIS countries like Russia and Ukraine and you would be thinking the local hackers would be trying to break it apart and exploit every possible thing on it. Hats off to them, really.
With these ages, isolating browser from the OS and even virtualizing it in its own environment that's cleaned when browser is closed starts to be a must, and I dont really see why they aren't doing it already. It would save people from so many trouble, and wouldn't affect performance at all.
affecting IE users on XP
Good thing none of them read Slashdot.
Luckily Microsoft reports there is a fix for this, Windows 7 is nearly here.
Take Nobody's Word For It.
ActiveX has a vulnerability. News at 11.
The Italians are at it again, those sneaky bastards. When will they learn that America will mercilessly defend her Freedom against Italian savagery? Down with the Active-Italian-X-axis! Down with Communo-Islamo-Italo-Fascism and its running dogs in the USA!
http://www.mozilla.com/en-US/firefox/
Securityfocus has more details, including the secret identity of the 'private reporter'
Considering how much of a security problem ActiveX is, I consider the workaround (i.e. disabling ActiveX) a very good final fix for the problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Being retarded won't preclude her becoming leader of the republican party ... just watch and see.
Did you actually even read the whole sentence or are you making a joke? :)
"Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it."
Also, SELinux is not something standard that comes along every kernel, and even if not via exploits, it would happen via user stupidity, which would be there when masses start using linux on desktop.
My ex-wife was 'tarded. She's a pilot now.
Squirrel!
But BonziBuddy told me that ActiveX was working perfectly! How can a purple monkey that helps me to remember all my credit card numbers lie???
I have nothing further to say, I just wanna stand here in my black turtle-neck with my cup of coffee looking smug. /typed on my MBP, so simma-down now fan boys... ;-P
Seriously, this exploit sucks. I've gotta patch a butt-load of computers today now. Thanks a lot MS. Anyone know if the MSI file has a silent install option? Or can it be done via GPO?
I just walked in, this smacked me right in the face this am. Damnit.
Sent from your iPad.
Dump Windows, install any Linux distribution you like... Look Ma! No more Active-X!
Mac might not have as many problems, but they're a lot slower to muck around to fixing their holes. Not that I'm trying to start a war, just that I think you all ought to be less harsh.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
just warn us when they have found no exploits at all?
meanwhile, we would just assume the default status is that everything is exploitable
it would cut down on the announcements by an order of magnitude
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Media Player will try to download codecs for certain wmv files. I stick with VLC and never use wmv's. But someone I know used the wmv and downloaded the codec and got a rootkit instead. I'd not previously heard of this method of attack but it doesn't surprise me a jot.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Does bring one question to my mind, though. In our office we have been told not to upgrade to IE7, though a few people "accidentally" did anyway. On their machines, even if they use Firefox, the security/Internet settings that IE7 made carry over to Firefox and affect it. One example is a certain java applet we have to access here that wouldn't even work in FF after my coworker upgraded. I had to go in and change settings in IE for it to work in either browser. I didn't upgrade and I'll admit my knowledge is a bit fuzzy in this area, so I haven't really looked into this too much, but... If a vulnerability can use IE to get into the OS, couldn't it do so even if you haven't opened IE yourself?
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
...will soon be added to the Thesaurus as a synonym of "Vulnerability".
No matter how hot a girl is - some guy somewhere is sick of her shit.
It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).
So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.
So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).
So I guess you don't use any Operating System then?
You don't know what you don't know.
I take it you were the retardent then?
Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.
Um, what? This has nothing to do with the kernel.
This is another reason NOT to use Vista.
How so? Vista is secure from this, its XP thats vunerable.
Where are my mod points?
It seems they got lost about a month or so ago and never came back.
With posts like this, I can see why.
Also, SELinux is not something standard that comes along every kernel,
Some people don't trust the NSA with their "security."
It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.
Voting them all out of office, now that's change I can believe in.
Um, what? This has nothing to do with the kernel.
Clarification - Maybe not this one, however: Using ActiveX allows system access
Ever heard the phrase "ActiveX kernel mode"?
Some nice examples:
http://www.codeproject.com/KB/COM/ActiveXEXEWrappers.aspx
http://blogs.zdnet.com/security/?p=427
http://secunia.com/advisories/35683/
Need anymore?
FMSFB (You figure out the acronym)
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
Wrong on two counts:
1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.
2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.
Please know more about the technology before making unfounded assertions.
You can create multiple user accounts. With Windows XP you can use Tweak UI to control what accounts show in the default XP login screen.
Then log in as your main (non-admin) user, and use browsers running as the different users for different things. For example, you have different browsers for bank stuff, shopping, normal browsing (google, slashdot etc), and less trusted browsing (which is set to be the "default browser" - what launches when you click on a link in an email etc).
Let the main user have access to the download directories of those browsers and that's pretty much it.
There's a bit of hassle since you'd have to copy files to be able to upload them to facebook/gmail etc, but that's also a feature in terms of security - only the files you want to upload get uploaded (you can delete them after that). Note: on XP if you run main user as userX, and browser as userY, if userX has a network share mounted, userY does not automatically get the same access to it. This might be considered inconvenient, but this is a good thing in terms of security.
It still won't be popular with people who want to click and install, but it's certainly safer.
You could use virtual machines, but do note that running stuff in a virtual machine is safer in some ways it could be more dangerous in other ways - because there have been security flaws with virtualization stuff and some of the virtualization bits would have full system privileges.
More details:
The problem you'll find is firefox is braindead, you can't run multiple instances of firefox in windows with different user accounts. So you'd have to have one firefox instance in a "subaccount", and multiple IE instances using different "subaccounts".
When I tried to get Chrome to run as a different user it just wouldn't work. So no Chrome for me.
So I guess you don't use any Operating System then?
No, He prefers to communicate using God's language, machine code.
RES PUBLICA NON DOMINETUR
Then those people should read the source, or ask/hire someone they DO trust to do it for them.
Not to mention that on most of the boxes I've had to work on the Vista "infection" was a much worse experience than XP with actual malware! What you really have to love with Vista is when it has a "senior moment". Anybody else experience the fun of that one? It is where the OS just stops responding for 5-15 seconds for no fricking reason whatsoever, just long enough to irritate the living hell out of you.
Besides a little common sense makes XP a fast & safe experience. Rule 1- Don't make the user think. Have everything set up automatic-AV/Antispy, autoupdates for the OS and for PDF reader (I give them Foxit) along with ABP to get rid of the ads that seem to be the biggest attack vector more and more, etc. Rule 2- If they are willing to learn (not always the case, which is why you have Rule 1) give them Noscript and set them up as a standard user. Rule 3-This is the most important- Tell them not to be a total dumbass and not to ignore what the AV says! This rule is for the morons that will actually turn off the AV to get at the pr0n, the email attachment with xxx passwords, etc.
With these simple rules I have many customers that run for years without any type of infection. Just a little common sense goes a long way, don't you know. This machine I am typing this on has the same install of Win2K I put on in 2000 to get rid of MSFT's other mistake OS, WinME(EEK!) and it has been running hooked to the net 24/7 all these years without a single bug. Why? Because it is always patched, I don't run IE, I don't surf to dodgy pr0n and warez sites, I don't allow email attachments, and I don't let dumbasses on this machine. If I have someone come over that needs to use the net I have a 733MHz SFF that with DSL Linux makes a damned good Nettop.
But blaming XP for infections is like blaming Ford because you got an STD screwing a hooker in the back seat. As a PC repairman I have found a good 90%+ of the PCs infected became that way because someone went somewhere they KNEW was dodgy, but were willing to take the risk. Can't really blame the OS if some moron downloads and runs a nasty keygen or "xxx_Lesbos_In_Heat.mpg.exe", now can we?
ACs don't waste your time replying, your posts are never seen by me.
It is just that I'm not aware of any Operating System / Browser combination which does not do anything with the kernel. Just plain image download makes heck load of calls to the kernel. Well, maybe there is browser for DOS...
But I'm sorry. I'm just being a jackass and having a bit of fun here :)
You don't know what you don't know.
When the media release admonishes that malicious attackers have been exploiting a flaw for nearly a week the real indication is that the core of the obfuscated code community has been exploiting it for far longer--probably since the day the vulnerable snippet of code was introduced. I will not tarry to read the full article and look at all of the related references but the summary indicates ActiveX on XP or server '03. Unless this is a relatively new addition to the AX library of functions you can rest assured that the vulnerability has been exploited since the day the software was shipped.
When you install an OS such as Debian, or LFS, or Ubuntu, or Slack, or RH, or Mandrake, or any of the BSD flavors, you become familiar with the concept of dependencies--either to compile from source or to install a package. Vulnerabilities are no different. Vulnerabilities have dependencies and, once all of the requisite dependencies are in place, then the vulnerability is available. Just as the installer of a source compilation or a package knows exactly when the dependencies are fulfilled and the program is available so too do the core researchers know almost immediately when the dependencies for a vulnerability have been fulfilled. Oftentimes those who have been writing and maintaining apps for a particular kernel and core set of libraries may even see the possibility for an exploit within their program but think to themselves,"Yeah, that portion could be exploited, but this-and-that-and-these aren't available and an attacker would need to figure out a way to inject executable bytecode into the stack using this hole, if they could get to it, and to do that they would need to know the user's particular kernel and libc, possibly shell and memory configuration, and they can't get that info through this opening." Then, two or three months later, some enormous library conglomerate, possibly within the environmental (gnome/qt/kde/etc) infrastructure becomes available, and _bing_, all of the dependencies to make the vulnerability a viable vector for exploit have been fulfilled.
This has long been the dichotomy between making an OS usable for the general population and maintaining it in a secure fashion. This is why I have always chosen X window managers which have been relatively bare bones (ude/blackbox/e16) and tried to minimize GUI dependency and remain at the shell/CLI interface. Automation and full integration within the OS is good for the general users but it also quickly fills all of the spaces between the lines of security; fulfilling and satisfying all of the dependencies for vulnerabilities. This was my major admonishment even as early as Win95--though at the time I was (and still largely am) ridiculed by those who want to have the features of computer use and appear computer knowledgeable but also want the ease of an OS that demands very little effort of learning from them.
All of that is relatively superficial, obviously, when you take those considerations to full completion. The exact same principle applied ten or twenty years ago. The exploitable software of ten or twenty years ago became solidified and standardized and those functions have now been made to be performed at the hardware level in the bridge chips and bus controllers. Those hackers (and crackers) who were the laser eyed math and logic geeks playing kernel/core wars ten and twenty years ago still know where those exploitable pathways are and, if they can (and believe me, they definitely can) find a way to executable memory from an exploitable codec or your web browser, they can own your exectuable memory space. They don't own it to bring your system down or to make it unusable, they own it to feed vast databases of information. Information is profiled, stored, categorized, and indexed in much the same way as the "warrantless" wiretapping we heard about several years ago. The government does not put active agents on every line: they screen the line through voice recognition systems which listen for key words and phrases. The
the NPG electrode was replaced with carbon blac
"It's Better with Windows" /snark
The fix installs firefox :o
FWIW, the NSA has nothing to gain by putting in any backdoors in SELinux. In fact, they have everything to lose should their code actually allow an attacker in via some means.
Clarification - Maybe not this one, however: Using ActiveX allows system access
Ever heard the phrase "ActiveX kernel mode"?
1) Your links are worthless and have no basis to support your insane claim.
2) ActiveX can only access the Win32 Kernel, not the NT kernel. Win9x has been dead for 10 years, time for you to realize this.
3) Any other exploit that can 'escalate' via overflow and memory address usage is negated by Vista and Win7 via the protected mode of the IE on the OS that cuts the ActiveX ties, and what ActiveX ties that still exist for corporate shops that use ActiveX, leaves IE and the ActiveX process running in a protected low priviledge mode.
*As much as saying this will make MS haters gasp:
The safest way to currently browse the internet on any OS and any browser is Vista or Win7 combined with IE7 or IE8, as it is the only solution that fully sandboxes the browser and subsuqent plugin/activex controls, and runs in a reduce security mode that can't even access or damage user level files let alone alter the OS, other procesess, or system files.
ASLR also helps adds in a subsequent level of protection just in case there is a way around all the listed above.
So if you are running Vista or Win7, you are subjecting yourself to more possible vulnerbilities by not using IE.
As for your links, ya, we would need a lot more,as they have no reference to what you are trying to prove, because your 'kernel' access myth is just that, myth.
Ya, because you're a twit. None of those can be exploited in a browser. .Net code from a browser is sandboxed by default. The second link requires an administrator to work. The third is an advisory about THE VERY ISSUE WE ARE DISCUSSING HERE.
STFU, troll.
You have to admit that administering a Windows box is so easy anybody can do it. Anybody.
Help stamp out iliturcy.
...use Firefox or Opera!
OMG! I'm a twit AND a Troll. Help! I'm surrounded by Trolls and twits calling me a troll and a twit. All of you ms fanboys defending your activex technology and every month or so, there's security issues being disclosed and attacks in the wild.
http://slashdot.org/comments.pl?sid=1294369&cid=28610069
It used to be called a flame war. Now I guess it's called a troll war. How much are you nitwits getting paid for this?
Get off my lawn!
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
There is already this security mode, it's called running stuff as a different user. The browsers would be running as different (limited/restricted) users.
The operating system enforces the separation. If you find a problem with the separation, then that's a huge bug in the OS. Ever since the 1960/70s users in proper multi-user O/Ses cannot access each others files, data and processes, unless the permissions are explicitly granted.
The browser executables are only writable by the admin/system. So they won't be changed unless there is a "local/remote root" exploit.
The cookies, bookmarks etc are separate and different - since they are browsers on different accounts.
Try it. Create multiple _limited_ users (and reduce their access further if you want).
Give your main account access to the files of those limited users (otherwise you wouldn't be able to access the downloads etc with your main account, or copy in uploads).
Then in your main account create multiple shortcuts with:
C:\WINDOWS\system32\runas.exe /savecred /profile /user:core\_WWW_USER_X "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Replace _WWW_USER_X with the different created users.
Give the shortcuts different icons.
Note that /savecred isn't a big security hole here since you are saving the credentials of limited users that have less access than your main account.
To test: from the browser "open file" or "save as" you'll find that you can't save stuff to your main user account folders or the other browser accounts. Another thing you might notice is that if the browser opens files (pdfs, wmvs, mp3s) the opening application will also be running as the browser user (which is a good thing in security terms).
The usability problem is distinguishing the browser instances from each other since they tend to look the same. But the Links bars and other toolbars will be different. Plus for me one IE instance makes the "click" sound when you click on links, another one doesn't, and then yet another browser instance is running firefox instead.
There are also little things like if you rename files/folders in a File Dialog, the notifications don't get to the browser so it still displays the out of date file list, you'd have to press F5 to explicitly update.
IE7/8 on Vista makes this sort of thing simpler and more accessible to users. That's why despite what the Linux fanatics say, Vista has actually better security than "Desktop Linux" from a technical perspective - no Linux popular distro is configured by default to sandbox browsers using SELinux or AppArmor[1].
Vista sucks in other ways though ;).
Keep in mind this is not bulletproof because there may be things like exploitable bugs in the graphics drivers, but the attackers know there are millions of easier users+systems to attack, so it's unlikely they'd bother using those for now.
[1] This is about as far as OpenSuse has got: http://en.opensuse.org/AppArmored_FireFox
Similar for ubuntu: https://bugs.launchpad.net/ubuntu/+source/firefox-3.5/+bug/382917
Which is nothing in practice.
Here is how to fix a security threat from MS:
Then click Run in the File Download dialog box, and follow the steps in this wizard.
Oh yes, keep teaching your users how to press "run" from web browser, even on a concept/method which was created in 2009. Let them "run" everything, for easiness. This thing happens while Apple, vendor of OS X warns user about .exe files, under Safari for OS X!
I know how their simple mind works. Now that couple of people who doesn't ignore them warned about how stupid to suggest users to run things? They will make the exact same thing in Silverlight, their thing which nobody except them (and couple of bribed) uses. They will say "but this is more secure". Only it will require Silverlight to run.
Any more zero days in pocket for that MS?
So do you have anything substancal to say, other than posting links that are irrelevent, or linking to some other users belief?
Its not a flame war; you're just trying to spread fud. I guess Linux fanbois haven't kept up with MS, and are doomed to point out critisms from the 90s. That's ok, believe what you want. I have a feeling that you're a twit... as it the dumbass /. user twitter. You're just about as informed as he was..
NetAvenger said "The safest way to currently browse the internet on any OS and any browser is Vista or Win7 combined with IE7 or IE8"
I believe you're forgetting something, and I'm sure you forgot this by design, MacOS and Safari. That combination doesn't even require anti-virus (or anti-anything for that matter) to safely browse the net, or use email, view pdfs, etc. And before you go off listing all your comforting reasons WHY Mac/Safari is safer, I'll ask "Who gives a shit WHY? It just is and has been since 2001."
If I didn't have absolutely NOTHING to do, I wouldn't be here.
Not a twit. Don't use twitter. I have over 22 years of experience with MS and I am a recovering MS developer. I know what a piece of crap almost everything MS makes really is. I'm not posting anything else on the subject. Believe what you will. FUD is mastered by MS. Feel free to continue filling MS warehouses with cash if you want, however, I have this bridge...
<parting_shots> Your mother was a hamster and your father smelt of elderberries. Now go away or I shall taunt you further.</parting_shots>
I say things which affects my Karma negatively. (and I don't care) For instance; All religion is false.
That is safer than using Firefox from a Linux LiveCD how? When using a LiveCD even if the OS is breached a reboot puts you right back where you were without any infection that might have occurred.
When using a LiveCD even if the OS is breached a reboot puts you right back where you were without any infection that might have occurred
Well you make a good point if you want to play 'gotcha'. However, you forget that the default model that Windows works with, offers these features inherently without having to run the OS from a write protected image.
With NTFS's cop on write features and journalling, the OS and volume can be rolled back, which means you don't have to run from a non-write OS construct and still get the same level of protection.
THE IMPORTANT thing you are missing, is that your CD solution can be technically compromised so that any applicaitons you have running could be handing off data to a bot or spyware or a website, as the browser is running at the USER level, and has access to all the USER data to give out.
So sure on reboot, it cleans itself up, but while running, everything you do in theory could be sending and compromizing all user data and applications.
If you think process isolation on Linux is 'better', remember that XWindows runs at ROOT, so there are several good ways to use a browser or any application with USER security to gain access to XWindows and be able to intercept and send back your keystrokes and other data that goes through the XWindows protocol all the time your machine is up. Heck flipping out the data capured can be hidden in basic HTTP, and not flagged by your firewall.
So you can get back to a clean install easily - but then remember that even if you discount the snapshot abilities, with Windows you can still do a VHD or other technology and reimage on every boot seamlessly.
So a clean install every boot, just like your solution.
The best protection is to move network level applications to reduced security modes, and doing this with IE in Vista and Win7 is a major step forward that shouldn't be discounted.