Slashdot Mirror
Attacks Against Unpatched Microsoft Bug Multiply
CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.
Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Someone finally found a hole in a Microsoft application using a Microsoft framework opening a Microsoft application!
Nobody? OK no cream.
Apparently, a lot given that the attacks are becoming more intense and frequent.
My guess is that when Office installs, various ActiveX controls are linked into the OS and by extension, the web browser MSIE. But there are lots of places where this should never have happened.
1. ActiveX has been proven time and time again to be a very bad idea. It is not sandboxed. There is no way to keep it away from the rest of the OS.
2. The web browser's integration with the OS. Not only has it been ruled illegal by various nations antitrust courts, but any exploit of the browser also exploits the OS by extension.
A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.
Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it rather than wait until the end of the article where they may not associate it as being the aforementioned solution.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).
Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.
Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.
And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Apparently everyone using IE or FF 3.5 is waiting for updates before posting.
With the number of ActiveX related security issues you would have thought they would simply drop it or at least sandbox it?
Jumpstart the tartan drive.
If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.
So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.
Hear hear on your ActiveX rant, and let me add "What you have said about ActiveX also applies to Javascript."
I see too many sites that will have almost every link be of the form <a href="#" onclick="follow_link(some_damn_link.html)"> - in other words the only way to follow the link is to use Javascript. This is just sloppy and stupid-lazy - such pages are usually machine generated, and there is NO REASON why the tool couldn't have filled in an appropriate href.
Yes, there are good uses for Javascript - but do we really want to be allowing J. Random Website to run code in a Turing-complete[*] language on every potential page load? I don't - and that is why I have NoScript installed, and no web site gets to run Javascript by default on MY browser - and since the Securina exploit against Firefox is Javascript based, that reduces (but does not eliminate) my exposure.
([*] - Javascript is as Turing complete as C/C++/Java or whatnot - the only thing that makes it NOT truly Turing-complete is the absence of infinite storage, just like C/C++/Java or whatnot).
www.eFax.com are spammers
Why is Secunia (http://secunia.com/advisories/35798/2/) only featuring a link to the exploit of the ff3.5 0day but no link the Mozilla bugtracker?
Don't want to sound trollish but I don't really know how this whole security business works. So can anyone please explain why there is no bug report for the open source browser?
(USER WAS PUT ON PROBATION FOR THIS POST)
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags",00000008,"REG_DWORD"
I didn't put it in place for this vulnerability though, just because a lot of people use macros and don't know how to save as.
These attacks are exploiting a flaw in an ActiveX control for displaying Excel worksheets. Right now they are just multiplying. You just know that they will eventually start adding. What happens if they start subtracting? Let's not even mention dividing at this point. God help us all...
You are totally correct in saying that Office Web components won't be affected, I was just replying to the previous poster. Still anyone worth their weight as an admin wouldn't install Office Web components on anything.
You type really well for throwing chairs at the keyboard, Steve
My blog. Good stuff (when I remember to update it). Read it.
set javascript.options.jit.content to false.
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
Here's the exploit code for firefox. :(
Apparently, it should crash and open up calc.exe. On my machine (win7 RC1) it crashes bringing up the error report thingy.
No calc.exe for me.
Does this mean I'm "safe"?
Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
My head didn't stay unexploded while I wasn't unreading this unstatement.
I'm a little more militant in my opinion of ActiveX.
Dumbest idea EVER. Microsoft has tossed more money down this sinkhole of a technology trying to fill the hole. People, Companies and governments have tossed even more down the same hole fixing issues that directly arise from some ActiveX bug.
How much further along would Microsoft have been along if they had just passed over this DUMB marketing idea anyway. ( It had to come from marketing, it must have, really who else could be this dumb. )
What it's been a decade of disaster when it comes to ActiveX issues.
Guys it's a bad idea. It's lame, take it out back and shoot it. Just say out loud, "We are sorry, this will never be in another one of our products after this point."
However it has made a lot of my product buying decisions over the years a lot easier. I ask the sales nerd. "Does this product make use of ActiveX in any way? I mean even as an optional addon?". If I get the reply, "Yes", or "We are building ActiveX into the next version.". I simple end the meeting and escort them to the door and give them a complimentary donut. ( I'm getting a bit like that when the caffeinated hyper English sales guy screams, web2.0 AJAX twitter in my face when he's only talking about the product packaging. )
Back to ActiveX. Again I say, DUMBEST IDEA EVER!
Sorry I take that back. Sub-Prime Mortgages, that's the dumbest idea ever. We'll give you money at a loss, not really check your credit, and expect you to be able to repay at an insane rate in 3-5 years time. Now that's a DUMB idea.
When some one sends me the "Oh please check out my super duper cool Share point embedded Office power point blah blah blah" very important link. I respond.
Sorry Doesn't load on my iPhone.
( I don't really own an iPhone. But iPhone makes them go "Oh crap, iPhones are cooler than this. I'd better re-do it so iPhone's can view it. )
After that it tends to be de-Microsoft'd enough for me to feel comfortable opening the link.
Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
With a sandboxed version of the win32 api, which is what ActiveX is, they would be able to allow the ability to deny the internet to those with a recent version of windows and office.
To paraphrase: "IE plugins from Office won't work without Win32 API running with increased privilages"
Took me a while to work it out, though.
Finally had enough. Come see us over at https://soylentnews.org/