Attacks Against Unpatched Microsoft Bug Multiply

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

server side scanning

[gad_zuki!]

Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.

Re:server side scanning

[koreaman]

You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?

If so, probably just a case of lazy and/or clueless administrators.

Re:server side scanning

Why don't web sites stop intentionally hosted vulnerabilities? I imagine web hosts not run by scumbags would make all the difference in cases like theres where there is no patch yet but there is a web-based exploit.

Re:server side scanning

[WheelDweller]

Hey, sure. We flush-n-fill workstations, planet wide in corporate offices. Ya know, maybe we could make friends with aliens and have THEM also scan our computers.

OR WE COULD JUST USE SOMETHING LESS FRAGILE.

Look at the risk; we're always hearing of people losing thousands of dollars, spending most of a decade trying to get it back. TWO MILLION active viruses and another 100,000 every month for the last decade.

Where else do you go buy a product, and then *immediately* buy someone else's product to ensure it makes it through the day? Did you ever buy that thing again?

Yeah, all computers have expolits. Only one manufacturer is installing an express lane.

And no, when Linux machines get larger, they probably won't have viruses, because the people who program it won't abide their existence to sell support contracts.

And it won't take more installed systems- there have been more Linux machines than Macs for like, five years now. (Reported here, iirc)

It can't get much simpler; it can't get much stronger. Why on Earth would anyone presume it faulty, just because it's not identical?

Wake up, people! How many stories like this do we have to read?!?!?!!

Re:server side scanning

ClamAV has the worst detection rates of any of the available antivirus programs, whether free or pay. It certainly won't detect a 0-day vulnerability.

Re:server side scanning

[PitaBred]

Why wouldn't you be able to? Unless you signed some agreement otherwise, or are trying for common carrier status, there's no reason you can't. There's no law against not allowing unwanted advertising to appear on your property. If a Christian site didn't want porn ads, they are not required to carry them because they carry other ads.

Re:server side scanning

Well, shouldn't we expect M$ to produce reliable and safe software to start with?
Looks like M$ is making a very good case for the whole world to move to OpenOffice....

Re:server side scanning

[Cstryon]

I agree that if there is a company that always has faulty products, that people would stop buying products from them. But nobody has stopped using windows (In this case the problem is IE, activex yada yada) because it generally works in most cases, for what people want it for.

I used to do tech support in a call center. The company I worked for made networking hardware, so the internet service that packaged our products the most, hired us to also do tech support for the customers with our products. Literally, my boss, his boss, as far up the chain at this company I could see, were a bunch of geeks ( we used to have prizes for good performances, that included the WoW expansion). What did they all use? What was working for our customers when it came to our products? What did our quality control guys, and the guys who lay out the plans for these products test them on? Windows.
Some of our Networking hardware would work on linux, Sometimes we would write drivers for linux, but when I would go and speak to the guys that had to write the software, they hated the linux part. (Of cause the major bullet point here is that not everyone believes Linux to be as practical as you do.)

So it's a double edged sword, if linux becomes popular, that would be cool! But once it becomes popular, any vulnerability, will be exploited.

Re:server side scanning

[Stan+Vassilev]

You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?

If you read the small print in the ToS you'll see they entitle themselves to doing anything they could imagine. Even if it was not in the ToS, adding it in there is trivial.

The reason they don't do it is one of pure economy. Integrating and running antivirus programs daily on a server is not free. It slows down the server (so they can pack less sites per server), it means license/support contracts (even if the basic software is free), means the staff spending time on integrating and supporting this feature.

At the same time, browser exploits are simply small static files that don't affect or abuse the server in question in any significant way. If they scan, it would be just to protect the site visitors, which are not a party that matters to web host providers. So, unless site owners decide they would rather take their business with a host who scans, the hosts have no interest to implement this.

Re:server side scanning

[causality]

Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.

Perhaps they realize that doing so would be damage control, not security? That's if you're using a malware scanner like clamav.

If they were to scan with something, there are more useful ways. They could scan their hosted systems with something like nessus. That would stand a chance of finding vulnerabilities and identifying what is exploitable so that they may be fixed. That actually would improve security, which is mostly prevention. Then there would be fewer opportunities for malware to infect the machines in the first place.

Re:server side scanning

[hairyfeet]

I probably shouldn't feed the troll, and I'll probably get flamed, but what the hell I'm bored. You wanna know why Linux can be more secure than Fort Knox and nobody wants it? Do you really want to know? It is actually very simple-It is because Linux is a GIANT PITA and its UI SUCKS! That's why!

It doesn't matter how damned good your Linux security is if only geeks can use the damned thing. After all, I can lock a Windows box in a safe and bury it and it'll be safe too, it will be about as usable to home users as Linux is. I'm not trying to flame here, I personally hope someone will come along and do for Linux what Steve Jobs did with BSD, I just ain't seen it yet. example-I had someone here the other day actually seriously arguing that Sudo equaled "Runas" because Sudo 'lets you do things the GUI designers never thought of". Now honestly how many home users have sat there and thought "You know, i just need more power than these GUI designers gave me" Answer-NEVER!

It is really not that hard Linux guys, just repeat after me- Home users will NEVER EVER use CLI! Got that? It bears repeating so I will- Home users will NEVER EVER use CLI! in the fifteen years I've been working on Windows boxes I can count the # of times I have had to go CLI on one hands with fingers left over. When was the last time you opened Bash? probably this week if not this very day. Problem in Windows? GUI solution. Mac? GUI solution. Linux? "Open up bash and type" which you should follow with "you know what, get someone to put Windows on your machine because this OS sucks" because that is exactly what the home users are thinking!

The reason MSFT knows own the Netbook market, with a decade old OS to your brand new Linux, isn't some plot and the sooner you accept it the better. It is because the GUI in 10 year old XP works better than the 2009 GUI in Linux. Why? Because the groups paying the big bucks for development, like Oracle and Red Hat only care about SERVERS, and servers are faster and easier to manage from CLI. Server guys like CLI, Geeks like CLI, Home users hate it with a passion, okay? Is that really so hard? I don't care if you think Bash is the second coming, until the Linux community accepts the fact that CLI MUST DIE, don't be surprised when people would rather deal with malware than your OS. i'm sorry, that is just the way things are.

Re:server side scanning

[EvilIdler]

How are web hosts going to handle dangerous files they find, if they start searching the users' stuff? That upload of the latest Conficker might not be malicious (user rents serverspace to host virus/trojan/worm research), the upload might be referenced in a database by the CMS (whoops, it's gone - does the user know how to fix the now-apparent bug in the CMS' filehandling?).

How does a virus scanner even know if the file is visible to the outside world? You have .htaccess files, scripts which may or may not display the files in an index (and it doesn't have to be anywhere near the same directory) and non-Apache/IIS systems which serve up content based on Python, Java or whatever.

Lots of issues with automated scanning/removal before you even start to consider the processing power to scan. Although that could be handled by having a reasonably beefy cluster of pure file servers which the web servers get their user directories from.

Re:server side scanning

I probably shouldn't feed the troll, ..says the bigger troll with a side of flamebait.

Re:server side scanning

[marsu_k]

The reason MSFT knows own the Netbook market, with a decade old OS to your brand new Linux, isn't some plot and the sooner you accept it the better. It is because the GUI in 10 year old XP works better than the 2009 GUI in Linux.

To each his own I guess, this netbook came with XP preinstalled and I quickly replaced it with Eeebuntu; XP isn't really suited for small displays in my opinion. And the performance is much better, wifi was somehow really unstable under XP. And no, up to this point (and I recon I have done much more with this puter than the average user ever will) I've never done anything that couldn't have been done via the GUI; however CLI is much more convenient if you know how to use it. Actually an usable shell is one of the major things missing from XP.

Re:server side scanning

[MrCrassic]

That's not what he meant. He was referring to web administrators implementing server-side scanning to prevent patches from being *spread* to the users.

Re:server side scanning

[Killjoy_NL]

I use the CLI in XP quite often, sometimes it's just a lot easier and faster and more versatile than the gui option.

And now there's Powershell for XP, that's the new and improved CLI if I'm not mistaken, haven't used it yet though.

Re:server side scanning

How are web hosts going to handle dangerous files they find, if they start searching the users' stuff?

Easy!

First, scans run and results go to a database. Any changes (Or additions at least) are flagged as 'new', and an email is generated and sent to the website owner.
The next days results go to a database, and the ones already warned on are ignored.

Second, the website in question is flagged in the hosting providers support ticket software.
If there are enough complaints about a website infecting others that are sent in, cross referencing them with the scan results would lead to better handling of the situation, which could be hosting provider, or even per customer specific.

An example would be,
- A website gets 1-2 complaints a year, and no scan results. No need to invest much time and money on those.
- A website gets many many complaints that appear worded similar but scan results show otherwise. Good time to side with the hosting customer.
- A site scan results show many 'bad' files, but no complaints. No need to waste time and money on these either (but good to know they are there)
- A site both gets lots of complaints, and there are scan results. Customer responds to emails and cleans things up in a timely matter, just simply does not have the knowledge to keep his/her website clean. We can cut these people a break. They are trying, and just out of their element.
- A site both gets lots of complaints, and there are lots of scan results over the past few months, none of which got any reply from the site owner. Escalate the problem up the abuse department chain just like normal, potentially with disabling the website in question until the owner cares enough to read their email or return the hosting companies calls.

You can adjust the thresholds and responses to add or remove as much draconian responses as you desire.

Re:server side scanning

[hairyfeet]

Yep, how dare I point out the Linux emperor has no clothes! Tell you what, I'm gonna use my incredible psychic powers and predict the future, and you come back here in a year and you will see it has become 100% true! ready? Windows 7 breaks all kinds of records and becomes the next XP, meanwhile Linux struggles to get to 3% while Mac gains a good 5, hell maybe even 10%!

Now why would that be? Because when users said "Vista sucks!" Microsoft listened. Steve Jobs keeps a whole crew of highly skilled designers in his own little dream factory whose whole job is to make the best damned GUIs that they possibly can. And your answer? "it's much easier to do mass deletions of files using wild cards and remove directory trees from the command prompt." yes, because that is something the home users is really gonna use, lots of wildcards at the CLI.....NOT!

But of course you simply refuse to accept that the market has spoken and just like with Vista the users have proclaimed "Linux sucks" but instead of actually listening to your customers and trying to fix those problems you insist on ramming CLI down their throats whether they like it or not! The simple fact is nobody wanted the Linux Netbooks if they could get XP on them. Just a couple of weeks back Woot! had both the Linux and XP EEE on sale. The XP one sold out in an hour-Even after lowering the price of the Linux one by $50 they never did get it to sell out. Why? Did MSFT buy up all the XP ones? Nope, the people have spoken and you simply refuse to hear them.

Why is it so damned hard for you to accept that the vast majority don't want a damned thing to do with CLI? Why do you insist on jamming a technology they consider inferior to a GUI down their throats? Linux has a top notch security model, it also interconnects to the cloud like nothing else. If you would simply accept the fact that CLI MUST DIE in five years Linux could easily overtake Mac and be well on their way to making MSFT crap their pants with fear. Would you really give up the entire market so you can hang onto your precious bash? Really? Because whether the Linux fanboys like it or not, that is EXACTLY what has happened and will continue to happen. So you can hang onto your Bash and talk about Powershell(which I have yet to see in the wild on any computer not owned by someone with a tech degree) while people choose an inferior security model simply because it has a better GUI. Your choice.

Re:server side scanning

[andreyvul]

PowerShell uses cmd.exe as its frontend. Which means NO unicode support whatsoever (like Finale :( ) ... unlike bash on gnome-terminal, which is simply awesome

Re:server side scanning

[sjames]

If so, probably just a case of lazy and/or clueless administrators.

More likely, since web hosting has been a race to the bottom for several years now, they just aren't interested in anything that would even slightly increase the cost of providing service. At $10/month or less, it takes less than 10 minutes a month of required intervention to render an account unprofitable.

Firefox 3.5?

[HTH+NE1]

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

Re:Firefox 3.5?

[Runaway1956]

"Firefox users can't be too complacent;"

Complacency is the mother of mothers.......

Re:Firefox 3.5?

[butalearner]

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.

Re:Firefox 3.5?

That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.

False analogy. Better analogy:

    It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.

Re:Firefox 3.5?

[recoiledsnake]

Wrong. The details are public and exploits could be happening in the wild. How do you know they're not?

From http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html

Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online.

Re:Firefox 3.5?

[Kozz]

Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.

Redhat 9?? You're lucky...

[/mpython]

Re:Firefox 3.5?

[Cstryon]

It's the same as the cool kid in highschool. Popularity also means more people will hate him, or exploit his keyless entry, or the bug in his active x controllers.

Re:Firefox 3.5?

[Vu1turEMaN]

You're in luck!

Seeing as how its related to the font html tag, I bet its backwards compatible a few versions!

Re:Firefox 3.5?

[Mozk]

Popularity also means more people will hate him, or exploit his keyless entry, or the bug in his active x controllers.

But what is he uses passive x controllers?

Re:Firefox 3.5?

[Mozk]

If, not is.

Re:Firefox 3.5?

[CarpetShark]

It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.

Yeah, except for that whole thing being an unsubstantiated claim that was first promoted by the news anchors, of all people, on the Microsoft-owned MSNBC channel.

Re:Firefox 3.5?

[ArsenneLupin]

But what is he uses passive x controllers?

Easy: Then hax0rs will insert their active probes into his passive security hole, especially after he dropped his canned aire can in the computer cleaning facilities.

Re:Firefox 3.5?

[CompMD]

Sweet. I'm rocking out with Firefox 2.0.0.14 on my FC8 box right now. At least flash doesn't crash it, which really annoys the "gotta have the latest" version fanbois. I can leave Pandora running in one window, and have another open with a whole bunch of tabs, watch YouTube, and never worry about it crashing.

Re:Firefox 3.5?

[Super_Z]

So you are actually claiming that more people use Office Web Components than Firefox? Do you have any references to back up your claim?

Firefox 3.5 is turning into a disaster

remote exploitable security problems, very slow startup on windows, creating havoc with antiviruses, maxing out CPU problems

its a bad week for 3.5
3.11 is safe for now (ill take the mem leaks over exploits and a slow startup)

what happened ? did the Mozdev team rush it to satisfy the fanboys and bigger-version-number-must-be-better crowd ?

lets hope these problems get fixed ASAP because if cant recommend it to clients when they come back to me complaining with these problems (doesnt make us look good) whats left ?

A

Re:Firefox 3.5 is turning into a disaster

Does 3.11 run on 3.11?

Shouldn't the next Firefox have been Firefox 95?

Ohh noes....

[Kral_Blbec]

A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?

Re:Ohh noes....

[erroneus]

Apparently, a lot given that the attacks are becoming more intense and frequent.

My guess is that when Office installs, various ActiveX controls are linked into the OS and by extension, the web browser MSIE. But there are lots of places where this should never have happened.

1. ActiveX has been proven time and time again to be a very bad idea. It is not sandboxed. There is no way to keep it away from the rest of the OS.
2. The web browser's integration with the OS. Not only has it been ruled illegal by various nations antitrust courts, but any exploit of the browser also exploits the OS by extension.

Re:Ohh noes....

[Culture20]

A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?

All it takes is a link to http://example.com/NUDE_PICS_CELEBNAME.xls

Re:Ohh noes....

[sc0ob5]

You'd be surprised how many people do it. In fact so many people do it where I work that I put a reghack in the logon script to make it so that all XLS files are opened with excel and not IE.

"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags",00000008,"REG_DWORD"

I didn't put it in place for this vulnerability though, just because a lot of people use macros and don't know how to save as.

Re:Ohh noes....

[TheNarrator]

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.

Re:Ohh noes....

[Kral_Blbec]

wouldnt that be the patch that doesnt exist then?

Re:Ohh noes....

That's great (and makes it more functional) although your users shouldn't be running as admin like they have to be in order for that to work in a logon script (bad security idea giving everyone admin).
 
Anyway, that isn't the same thing as the Office Web Components which is the ActiveX control with the vulnerability. That browserflag setting will absolutely NOT protect folks from the vulnerability if they have the Office Web Components installed.

Re:Ohh noes....

[sc0ob5]

My users don't have admin rights, elevated privileges via the logon script.

You are totally correct in saying that Office Web components won't be affected, I was just replying to the previous poster. Still anyone worth their weight as an admin wouldn't install Office Web components on anything.

Re:Ohh noes....

[thePowerOfGrayskull]

Hey, there were no nude pics there! I wanna see my dancing bunnies!

Re:Ohh noes....

[OverZealous.com]

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.

My head didn't stay unexploded while I wasn't unreading this unstatement.

Re:Ohh noes....

[xanadu-xtroot.com]

anyone worth their weight as an admin wouldn't install Office Web components on anything.

Unless the PHBs think that it's Super Cool to embed Excel Sheets and .PPTs in SharePoint's webpages...

Re:Ohh noes....

A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?

I saw a user do it the other day. He had to close it out so we could open the file in Excel as was anticipated. It came as a shock to myself (I don't recall the behavior from back in my Excel 97/IE2-6 days). Now my ".xls" files on the web open in OpenOffice Spreadsheet. It is just stupid MSFT doing stuff and integrating shit without a care in the world.

Re:Ohh noes....

[Vu1turEMaN]

Eh, they don't even need elevated privledges :)

Re:Ohh noes....

[IntlHarvester]

A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?

I think you missunderstand how this works. Hackers can craft a special page which calls the control, which means anyone with Office installed on their system is vulnerable.

Also as an AC pointed out, it's not really in "Excel", its in "Office Web Components" which are mini-applications specifically designed to be included in (intranet) web pages.

Re:Ohh noes....

[sc0ob5]

I thought they had to at least be power user.. may be mistaken, haven't looked at it in years.

Re:Ohh noes....

[upuv]

I'm a little more militant in my opinion of ActiveX.

Dumbest idea EVER. Microsoft has tossed more money down this sinkhole of a technology trying to fill the hole. People, Companies and governments have tossed even more down the same hole fixing issues that directly arise from some ActiveX bug.

How much further along would Microsoft have been along if they had just passed over this DUMB marketing idea anyway. ( It had to come from marketing, it must have, really who else could be this dumb. )

What it's been a decade of disaster when it comes to ActiveX issues.

Guys it's a bad idea. It's lame, take it out back and shoot it. Just say out loud, "We are sorry, this will never be in another one of our products after this point."

However it has made a lot of my product buying decisions over the years a lot easier. I ask the sales nerd. "Does this product make use of ActiveX in any way? I mean even as an optional addon?". If I get the reply, "Yes", or "We are building ActiveX into the next version.". I simple end the meeting and escort them to the door and give them a complimentary donut. ( I'm getting a bit like that when the caffeinated hyper English sales guy screams, web2.0 AJAX twitter in my face when he's only talking about the product packaging. )

Back to ActiveX. Again I say, DUMBEST IDEA EVER!

Sorry I take that back. Sub-Prime Mortgages, that's the dumbest idea ever. We'll give you money at a loss, not really check your credit, and expect you to be able to repay at an insane rate in 3-5 years time. Now that's a DUMB idea.

Re:Ohh noes....

[upuv]

When some one sends me the "Oh please check out my super duper cool Share point embedded Office power point blah blah blah" very important link. I respond.

Sorry Doesn't load on my iPhone.

( I don't really own an iPhone. But iPhone makes them go "Oh crap, iPhones are cooler than this. I'd better re-do it so iPhone's can view it. )

After that it tends to be de-Microsoft'd enough for me to feel comfortable opening the link.

Re:Ohh noes....

A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?

You've missed the point. Just because people don't do this normally/at all doesn't mean they can't be tricked into doing it easily in this case. Any link you click on can present itself (as far as most people who don't inspect the destination is concerned) as anything it wants. You could click on the dancing monkey or whatever and have it trigger the opening of a spreadsheet with this exploit in it. All you need is to have excel installed.

Re:Ohh noes....

[Vu1turEMaN]

http://www.tomshardware.com/forum/167040-46-registry-login-script#t612376

or

http://www.edugeek.net/forums/windows/23744-changing-permissions-registry-key.html#post230094

might be of interests to you

Re:Ohh noes....

[just_another_sean]

That's unpossible!

Re:Ohh noes....

[L4t3r4lu5]

It doesn't even parse correctly:

Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.

With a sandboxed version of the win32 api, which is what ActiveX is, they would be able to allow the ability to deny the internet to those with a recent version of windows and office.

To paraphrase: "IE plugins from Office won't work without Win32 API running with increased privilages"

Took me a while to work it out, though.

Re:Ohh noes....

[cenc]

Not if you sell the loan to some other sucker.

Re:Ohh noes....

[sc0ob5]

I actually tend to use something like this rather than change ACLs:

set oShell= Wscript.CreateObject("WScript.Shell")

Set objFSO = CreateObject("Scripting.FileSystemObject")

objFSO.CopyFile "u:\scripts\test.vbs", "C:\temp\test.vbs"

oShell.Run "runas /noprofile /user:domain\administrator ""%windir%\system32\cmd.exe /C wscript c:\temp\test.vbs"""

WScript.Sleep 100

oShell.Sendkeys "password~"

Wscript.Quit ()

Microsoft is crap

Mod me up, cause I talked bad about Microsoft. It's the Slashdot way and you must stick with the Slashdot norms otherwise you'll look like a complete asshole.

Re:Microsoft is crap

[PitaBred]

You type really well for throwing chairs at the keyboard, Steve

It's about time...

[whowantscream]

Someone finally found a hole in a Microsoft application using a Microsoft framework opening a Microsoft application!

Re:It's about time...

[ciderVisor]

Yo dawg, I heard you liked ActiveX, so I put some Excel in your Excel so you could get exploited while you were getting exploited.

kill bits

[HTH+NE1]

A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.

Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it rather than wait until the end of the article where they may not associate it as being the aforementioned solution.

Re:kill bits

The workaround was released as a security update

Re:kill bits

Actually the workaround is released as a security update , and pushed via windows update

Re:kill bits

Much better fix: use "Administrator Approved Controls" to whitelist the ActiveX controls that can run in IE. When yet another bug is found in some random ActiveX control (of which there are thousands in a typical Windows install) you can shrug your shoulders.

My solution for ActiveX (no, not installing Linux)

[istartedi]

I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).

Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.

Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.

And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.

Only 9 posts?

[Culture20]

Apparently everyone using IE or FF 3.5 is waiting for updates before posting.

Active X again?

[Midnight+Thunder]

With the number of ActiveX related security issues you would have thought they would simply drop it or at least sandbox it?

Re:Active X again?

[mkavanagh2]

I believe Microsoft thinks ActiveX is sandboxing.

Re:Active X again?

[Penguinshit]

Sandbox?

What ActiveX needs is a pine box

Re:Active X again?

[TheRealMindChild]

You are modded insightful, but if there was such a thing as "-1 ignorant" I would have certainly modded you rather than replying.

An ActiveX library is just a DLL. However, it is a DLL that can be indiscriminately loaded by scripts... even scripts on a web page no less (this IS being addressed in Windows > XP). What needs to happen is a whitelist of what scripts can use what libraries if you even want to go that far.

The solution, in my eyes, is to remove abilities to create ActiveX controls in remote scripts completely. This would solve just about every problem with them.

Re:Active X again?

[PPH]

My cat sandboxed it.

Re:Active X again?

[PitaBred]

ActiveX is just a DLL, but the only reason it exists is TO CREATE CONTROLS IN REMOTE SCRIPTS. It just uses standard Windows widgets and such to do the actual work. You're the ignorant one... the GP was perfectly right. ActiveX is simply a security hole, period.

Re:Active X again?

[TheRealMindChild]

Whores only exist to lure married men from their wives, right? Kill 'em all, right? Just like ActiveX controls, whores have a purpose... not necessarily in line with their intended nature. What should we do with them?

Re:Active X again?

[IntlHarvester]

ActiveX is just a DLL, but the only reason it exists is TO CREATE CONTROLS IN REMOTE SCRIPTS. It just uses standard Windows widgets and such to do the actual work. You're the ignorant one... the GP was perfectly right. ActiveX is simply a security hole, period.

ActiveX certainly has some problems, but in these two cases (Excel and Media Player), we are talking about plugins that are specifically designed to be used in web browsers and other "remote scripts". If they were somehow using the Netscape/Firefox plugin API, its likely the same security holes would exist.

But I will give you credit for at least knowing what ActiveX is, which puts you ahead of 99% of the open source cavemen on this site who just grunt OGG SAY ACTIVEX BAD SECURITY and get score 5 for their pathetic peabrained insights.

Re:Active X again?

My cat sandboxed it.

Yeah, and he's a pussy.

Re:Active X again?

[causality]

Whores only exist to lure married men from their wives, right? Kill 'em all, right? Just like ActiveX controls, whores have a purpose... not necessarily in line with their intended nature. What should we do with them?

I think I see the part you're missing that would explain to you why some (including me) think ActiveX is fundamentally flawed.

In terms of security, I think we can agree that the Internet including the Web is rightly regarded as a hostile network. We can also probably agree that good security is done in overlapping layers in order to minimize single points of failure. That's important for many reasons, not the least of which is that a glaring, single point of failure increases both the severity of exploits and the ease with which they may be carried out.

The problem with ActiveX is the lack of sandboxing. A control has the full privileges of the user running the browser. With XP machines that user tends to be an Administrator, compounding the problem. Trusting this environment to reliably and securely handle remote code on a hostile network is just begging for trouble. The idea is fundamentally flawed and tinkering with it may mitigate the problem but will not fix it. It needs to be abandoned and replaced.

Java is more suitable for this kind of task. That is, the needed sandboxing capabilities are an integral part of its design, which is not the case with the Windows DLL-type ActiveX controls. If you really want a Microsoft solution, Silverlight can run applications (both remotely and downloaded for local off-line use) and has its own sandbox. Even Flash apps are a better idea than ActiveX, which is saying something considering Flash's security history.

A solution with a good sandbox combined with running as an unprivileged user is a hell of an improvement. This means that an attacker who wants to own the machine has multiple hurdles. The more this is the case, the more difficult it is for an automated script to pull off a successful exploit. The fact that the malware is fully automated and can rapidly spread is part of why there are so many botnets and other problems. Think of it as something like a captcha: the more a successful exploit requires a determined human being, the fewer massive botnets there are. Fewer botnets mean less spam and fewer DDoS attacks and the like. Nowhere does the low-hanging fruit of ActiveX (and similarly flawed ideas) fit into that picture.

Re:Active X again?

[PitaBred]

I know what they were designed to do. And they do exactly what they were designed to do, it's just horribly insecure. Excel and Media player need to be sandboxed to safely run content directly from the Internet because of stupid design decisions in the software itself, where Excel and WMP will actually run code. ActiveX doesn't do any of that, it simply connects Excel to the Internet, which is where the security flaw is.

They have

[Sycraft-fu]

If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.

So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.

Re:They have

[BasharTeg]

Funny thing is, the Firefox 3.5 exploit doesn't work on Vista either according to our testing. Only works on Windows 2000 and XP. Good thing everyone's bashing Vista like it has no features of value and as if it's still broken like pre-SP1 when SP2 is out.

So your average Microsoft-hating fanboi who is running Firefox 3.5 because IE8 isn't cool enough, and who is running Vista because XP is "way better", is the one who is vulnerable to this Firefox exploit.

Re:They have

Us ms-hating fanbois are running linux, and as such, aren't worried about it.

Re:They have

Vista and Linux are also vulnerable, the hole is just a lot easier to exploit in XP32 which is the way that malware writers will go until there are no XP machines left.

Re:They have

[Dunbal]

Good thing everyone's bashing Vista like it has no features of value

      No, we bashed it because it didn't have features of $200+ value.

Re:They have

[Killjoy_NL]

Good that I only paid 17 euros for my vista license, wheeeeeee

Re:They have

... your average Microsoft-hating fanboi ...

is running Linux!

Hear Hear, and let me add....

[wowbagger]

Hear hear on your ActiveX rant, and let me add "What you have said about ActiveX also applies to Javascript."

I see too many sites that will have almost every link be of the form <a href="#" onclick="follow_link(some_damn_link.html)"> - in other words the only way to follow the link is to use Javascript. This is just sloppy and stupid-lazy - such pages are usually machine generated, and there is NO REASON why the tool couldn't have filled in an appropriate href.

Yes, there are good uses for Javascript - but do we really want to be allowing J. Random Website to run code in a Turing-complete[*] language on every potential page load? I don't - and that is why I have NoScript installed, and no web site gets to run Javascript by default on MY browser - and since the Securina exploit against Firefox is Javascript based, that reduces (but does not eliminate) my exposure.

([*] - Javascript is as Turing complete as C/C++/Java or whatnot - the only thing that makes it NOT truly Turing-complete is the absence of infinite storage, just like C/C++/Java or whatnot).

Re:Hear Hear, and let me add....

[b4dc0d3r]

I have been wrestling with that myself. Some of the reason sites do that is essentially URL rewriting, where they have a name for the page but then depending on your current context they might take you to a different directory or something. Most aren't, but some of the examples I see are actually very clever time-saving devices, viewed from the programmer's perspective. Could you put the same logic in the back-end? Sure. In fact it would be far more secure and protect your IP. And wouldn't be copyable. But it does separate the logic, which is more maintainable.

Of course, some just do a redirect to the full relative URL, and that is inexcusable. I do surf with NoScript, and if I can't see your products I'll just move to a competitor's site. I used to mail websites and tell them what I was doing, but it did no good. So now there's a million websites out there I don't buy from and no one knows why.

Re:Hear Hear, and let me add....

I agree. Sites that are written like this are also a PITA to navigate. I can't open such links in a separate tab or window and idiots that write sites like this are never smart enough to return to the same point so I absolutely need to be able to open them in a separate tab or window.

Re:Hear Hear, and let me add....

[lennier]

"the only thing that makes it NOT truly Turing-complete is the absence of infinite storage"

I've never really understood this part of 'Turing-complete'. If an algorithm requires infinite storage, isn't it also going to take infinite time to access that storage? Therefore it will never complete, therefore it's undecidable, surely. Or did you mean 'finite but unbounded, just slightly bigger than the (computable) problem at hand requires'?

Re:Hear Hear, and let me add....

[wowbagger]

'finite but unbounded" - in terms of the Turing machine this is a meaningless statement. Yes, you can say the surface of an orange is finite but unbounded, but for storage, you cannot just keep reusing what you have, like retreading the surface of an orange.

Thus, you have to have storage that is NOT finite - storage that cannot run out. In other words, infinite.

Just because an ideal Turing machine has access to "infinite" storage does not mean that all algorithms will use it. I could design a Turing machine that could play Tic-Tac-Toe in a finite and well defined amount of storage, for example.

Consider the following example: In theory, a Sinclair ZX-81 could do computation my 4G RAM 340G disk Core 2 Duo laptop could do (albeit no where near as quickly), given only some form of storage interfaced to it to allow it to access enough information. Now, that information is going to be larger than 340G+4G (by how much it would be hard to say), but given something like, oh, say an infinitely long tape and reader (where did that idea come from?) it could do it. Likewise, the emulated machine could run Firefox, which could run Javascript, which, again given a simulated infinite storage, could emulate the ZX-81 emulating the Core 2 Duo running Firefox running Javascript emulating....

Full disclosure or what?

[fedxone-v86]

Why is Secunia (http://secunia.com/advisories/35798/2/) only featuring a link to the exploit of the ff3.5 0day but no link the Mozilla bugtracker?

Don't want to sound trollish but I don't really know how this whole security business works. So can anyone please explain why there is no bug report for the open source browser?

Re:Full disclosure or what?

[maxume]

There is some chance that a bug simply hasn't been filed. Mozilla does keep security related bugs private (or so I understand it, I'm not in that club) until they consider them resolved (which often means releasing an update). Full disclosure generally refers to whoever found the bug telling the public about it, so no need for the "or what?", the bug has been disclosed.

More than multiplying, I'm afraid

[Curate]

These attacks are exploiting a flaw in an ActiveX control for displaying Excel worksheets. Right now they are just multiplying. You just know that they will eventually start adding. What happens if they start subtracting? Let's not even mention dividing at this point. God help us all...

Re:More than multiplying, I'm afraid

[WuphonsReach]

For a true math joke, you would have done that as "multiply divide add subtract" (or "My dear aunt Sally") in order to get the precedence correct.

Firefox 3.5 0day fixed in nightlies

I'm running the current nightly build of Shiretoko (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090714 Shiretoko/3.5.1pre) and this exploit is already fixed as far as I can tell. It does crash the stock Firefox 3.5.

I'd expect to see a patch for this out pretty quickly.

Windows itself

Is the un-patched bug. Just patch with new windows 10.5.2. Awesomely stable, very user friendly, not to mention secure as a rock.

I have a working patch.

[Repossessed]

I have a working patch for IE issues.

www.firefox.com

Re:I have a working patch.

[Repossessed]

Oh come on, that was funny.

Since when did bashing MS become flamebait, usually the mods reserve that for me bashing Apple.

Re:I have a working patch.

[TrancePhreak]

RTFsummary.

Re:My solution for ActiveX (no, not installing Lin

For all intents and purposes "intensive purposes" is a silly phrase.

Disable JIT for Firefox 3.5 workaround

set javascript.options.jit.content to false.

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

Exploit (FX3.5)

[t0y]

Here's the exploit code for firefox.
Apparently, it should crash and open up calc.exe. On my machine (win7 RC1) it crashes bringing up the error report thingy.
No calc.exe for me. :(

Does this mean I'm "safe"?

Re:Exploit (FX3.5)

[flyingfsck]

Nope, doesn't work: Firefox 3.5 Vulnerability Firefox 3.5 Heap Spray Vulnerabilty Author: SBerry aka Simon Berry-Byrne Thanks to HD Moore for the insight and Metasploit for the payload

Re:Exploit (FX3.5)

[cbhacking]

It probably means you have security features that Windows XP (what far too many people still mean when they say "Windows"... it's a fucking 8-year-old OS, stop using it as representative of the whole) lacks. Just like the way that this IE exploit doesn't work correctly on Vista/Server 2008/Win7 either... but nobody bothers to mention that because it works on an OS so outdated it doesn't even have a built-in instant search.

Re:your mom

My parents are divorced, you insensitive clod!

I'm using Chrome!

[vrmlguy]

Ha-ha, suckers!

Posted using telnet to port 80

because im scared my interwebrowser will get exploited. ... i would have had first post too, if it wasn't for all this pesky web2.0 ajax crap.

Re:your mom

Sounds like the exploit was successful, you dullard!

What's IE again?

I mean, really... How does this affect me?

"You keep using that word (security). I do not think it means what you think it means."

and the MS Plugins?

I recently disabled a couple of MS office plugins that had mysteriously registered themselves with firefox. I'd already disabled the MS .NET addon and removed the UA string using about:config. While Microsoft are not the only offender, these plugins were not required and increase the security exposure footprint of Mozilla's browser. It's not acceptable that such things should be installed without explicit user consent. Being aware of the heap spray vuln in firefox, I disabled the JIT until Mozilla can release a patch. I'm not usually aware of vulnerabilities in 3rd party plugins that I had no idea were installed.

Re:and the MS Plugins?

[totally+bogus+dude]

Firefox's default behaviour is to tell you when new plugins have been installed, so it should be very hard not to be aware of them.

Not excusing the behaviour, just pointing out a convenient feature that helps mitigate unfriendly auto-installs.

Re:My solution for ActiveX (no, not installing Lin

[Inda]

Shout louder!

I see at the top of this page:

"Your security settings do not allow Web sites to use ActiveX controls installed on your computer. This page may not display correctly. Click here for options..."

Well smack my forehead.

(no, this is not my PC, behave yourself)

built in VM within browser

[kai6novice]

There's all kind of problem in browsers. I think the only safe way to browse the web is to create a virtual machine, then run the browser within the virtual machine, so if anything bad happens, just replace the virtual machine, then you're good again. Why can't someone think of a way to built a tiny virtual machine within browser, The virtual machine should only apply functionality that a browser ever needed. Then if anything bad happens, just roll back to the original backup of the virtual machine. It's a like a browser contains a virtual machine that run the browser which contains it.

Virus, malware, what is that?

[cenc]

I don't understand what the problem is with this. Someone please explain. ( Typing on his linux workstation, to connect to his linux server, in an all linux office).

ActiveX

[fm6]

Not a marketing gimmick. If you did any component-based programming, you'd see a lot of utility in ActiveX objects. They allow people to write libraries that you easily plug into your application and interact with at design time using a GUI like pre-.NET Visual Basic or Delphi.

What really made this kind of object valuable is that it allowed you to use an object-oriented framework like MFC or VCL without knowing jack about object-oriented programming. Unfortunately, this capability was simply ignored when they moved from COM to .NET.

Now, it's perfectly true that the implementation of the ActiveX concept is a horror. Bad API design, bad documentation, buggy code. But those are not marketing fuckups.

Re:My solution for ActiveX (no, not installing Lin

I don't know if this also applies to newer IEs but disabling ActiveX also disabled Flash. Oasis. Heaven. Sweet summer afternoon. I've recently switched to Iron and I had forgotten how annoying Flash was, that it can be suddenly unexpectedly noisy, and that it can bog up your machine real good, and I hope they will add a way to deactivate it soon. Mind you, uninstalling the plugin wouldn't work, because then you can't use it in the few sites that need it (YouTube and cohorts); just don't load the plugin until I click on it. Of course, strictly speaking YouTube doesn't really need it either, since you can get .flv playback in pretty much any media player nowadays, and playback is usually smoother and looks better than it does when you use Flash. So perhaps what we really need is a kind of Flash emulating plugin that pretends to be the Flash video towards the page and the server, but in reality doesn't have UI and solely exists to intercept the video stream and show it in your default media player.
Oh, one nitpick: ActiveX is not inherently more ore less secure than other plugin systems, so you should have said plugins instead of ActiveX.