IE Flaw Gives Hackers Access To User Files

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

*sigh* ... blame Netscape.

[hey!]

Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.

Re:*sigh* ... blame Netscape.

[maxume]

IT WAS TIM BERNERS-LEE!

Micro$oft

[hellraizer]

it really whips the user's ass :)

Re:Micro$oft

[denis-The-menace]

I did laugh at this but if you think about it, WinAmp's built-in web browser is IE.

Pretty much anything that need a quick and dirty web browser or uses .NET will end up calling on mshtml.dll which is IE. Some apps use IE for there GUI but hide it well like QuickBooks 2007 and up.

I love to preach to not use IE but in the end you must upgrade to IE 8 or else you risk inadvertently using IE and getting yourself exposed just by running apps.

Steam

Yet another reason for games to stop using IE as their built in patcher/notification/whatever. If you really need to display an HTML file, let the system display it with whatever the configured default is.

Re:Steam

[legio_noctis]

Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 demonstrates how clueless the average gamer is about standards etc.

Some choice quotations:

"ie is fine"

"I'd rather not have steam bloated with redundant tech right now."

"Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

"It works, it is secure and it isn't that slow"

"IE is fine, and so was Windows 98."

"there is nothing wrong with the day-to-day performance of Trident."

Re:Steam

[sopssa]

Well to be fair, they are somewhat correct. While I don't like the clunky browsing withing steam or the in-game overlay, switching over to other engine would be a lot of work and testing to Valve and could create even more problems to users. And that's all while the browser component is a side thing.

For example IE and it's embedded component is supported on all versions of Windows. If Steam were to integrate their own browsing engine, they would have to make sure it works for 100% of users and they would have to maintain it. IE works in all situations as long as it already works for the user (which is pretty much every case) and the component gets updated along when user updates IE.

While I myself care a lot about standards, I don't see why an average gamer would do so. It already works well enough and is stable, so there's little to gain over the amount of added work it would put on Valve. I'm not even sure if any browser engine including Webkit can draw on DirectX surface anyway - they would have to the draw window contents to bitmap -> transfer to texture -> draw on DX surface anyway.

Re:Steam

[FlyingBishop]

Nobody ships with all of the W3C published recommendations. That's just stupid. You can't hit a moving target like that.

Re:Steam

[VGPowerlord]

Yes, but Firefox has things from HTML 4.01 that it still doesn't implement correctly. The col tag and its attributes come to mind.

Re:Steam

[Sleepy]

>Nobody ships with all of the W3C published recommendations. That's just stupid. You can't hit a moving target like that.

No no no no... red herring... you've been misled.

A browser does NOT need to support all W3C recommendations.
This is true for all browsers, even for IE.

What all browsers are EXPECTED to do is - "if" they support a recommendation - that they do what the recommendation SPECIFIES.
In other words, you choose to a CSS attribute CORRECT.. or do it NOT AT ALL. IE would randomly do something *undefined* instead of nothing.

Web developers literally spent YEARS reverse-engineering the exact behavior of Microsoft's undocumented standard. Had Microsoft not done anything at all with certain elements, the behavior would be quickly understood.

I'll give you an example: IE 6 and 7 would recognize many attributes for CSS padding and margins. IE would certainly do something with these attributes... but what they did was the OPPOSITE of the specs in some cases. Not only that, but the inheritance rules were not consistent. You literally had to write 2X the CSS code if you wanted your web-standards code to work on IE6.

This worked well for Microsoft - they essentially killed all progress on the web for a DECADE. Companies who locked themselves into IE6-based intranets did not care because there was no FireFox and no basis for Microsoft to put out new browser technology. MS wanted people to give up on HTML and just write everything in .NET. This is a holdover from the Microsoft "Blackbird" project, which seriously wanted to replace web HTML with compiled binary Microsoft-patented markup. Bill Gate's emails in the trial said he didn't want their bugs fixed if they were only causing problems in non-Microsoft browsers.

When a browser does not support an effect, you can easily workaround it. For example, if I couldn't assign a yellow background to an link, I could easily change course and wrap the A in a DIV and assign the style there instead. But what if the link color ceased to be yellow whenever that DIV was positioned with absolute instead of relative? What if the link disappeared whenever the DIV was inside a BODY tag which had a CSS background attribute?

It's the *random* nature of MSIE bugs (and the arrogance of not fixing them) that made web developers the most vocal critics of Microsoft.

    if FireFox versions have issues with following the standard wrong, that gets fixed but it also is published what versions had that bug. So it's easy to design around without self-doubting your markup and CSS. You still can't go to the Microsoft website and get a solid definition of their CSS Box Model bugs.

So, what percentage of W3 that gets implemented is not ever an issue; it's the quality and the truthfulness of the implementation.

Re:Steam

[petermgreen]

Afaict the major browsers do not offer compatible embedding interfaces so if you want to actually embedd a html view (rather than just adding a window to the users sea of browser windows) you pretty much have to pick one engine.

Re:Steam

[RichM]

The sad thing is that gamers (i.e. technology enthusiasts) are usually the ones who are hacked by the Chinese.

Re:Steam

[nschubach]

While I myself care a lot about standards...

I'm not even sure if any browser engine including Webkit can draw on DirectX surface anyway.

I can't be the only one to laugh at that...

Re:Steam

[IICV]

As an example of how this gets used, take a gander at the CSS of a page sometime. You might see something like -moz-border-radius or -moz-background-size - these are CSS attributes that Mozilla supports, and that may be similar to but not exactly the similarly named W3C standards. That's how you're supposed to do it - if you're going to claim that you support a standard, then support the goddamn standard. Don't half-ass it in an incompatible way.

This is bad.

[Buelldozer]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

Re:This is bad.

[Buelldozer]

I was serious. :-D

I'm not a programmer nor a webmaster so this stuff is a bit opaque for me.

However, now that I know your computer is vulnerable (by using this method to access my own cookie) what would prevent me from going on a fishing trip for other cookies? Say...ones from your bank, or Amazon, or other high value websites?

Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.

Re:This is bad.

[Z34107]

Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.

Definitely! Reading everyone else's cookie is much more interesting than using an exploit to read your own cookies! :P

Re:This is bad.

[Pastis]

1000 cookies! Fast way to a diet !

Re:This is bad.

[FlyingBishop]

1. Look at what tax-preparation websites the user has visited.
2. You can easily determine where all of the two or three American tax agencies store tax info. Look there. You'll net probably 50% of your targets.

As long as you're rooting around, might as well scan for any files named /password.*/, and send them back to control, along with a list of all sites with cookies.

Re:This is bad.

[jimicus]

Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

Re:This is bad.

[JoshuaZ]

Someone please mod parent up. This is an excellent example of an exploit that at first glance looks harmless but could be used for very nefarious ends.

Re:This is bad.

[girlintraining]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

Re:This is bad.

[EvanED]

As long as you're rooting around, might as well scan for any files named /password.*/, and send them back to control, along with a list of all sites with cookies.

The article is crap when it comes to actual information, but it's quite possible (I'd say more likely than not) that both of these are not possible.

Re:This is bad.

[Idiomatick]

Or.... you could assume they are on windows and access all kinds of standard location files. Exchange every exe for common apps with viruses... seems simple enough.

Re:This is bad.

[petermgreen]

More importantly though you could read other sites cookies (which you normally don't have access to), the systems account database (which you can then pass to l0phcrack and then pipe the results to your SMB and remote desktop clients)

Re:This is bad.

[Buelldozer]

You should be modded higher for this post.

Re:This is bad.

[mysidia]

The SAM database is in the registry, and the file is locked by the LSA during system operation, therefore not readable unless the system has been booted to a command prompt.

You would need an exploit that allows you to read the registry or gain access to files despite an exclusive lock, for that.

I wonder...

[Ismene]

I wonder how many people have a "passwords.txt" file in their Documents. ;-)

Re:I wonder...

[byrdfl3w]

Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
Now I gotta tell my friends about this! Hold on while I log..

Oh crap.

Re:I wonder...

[pisces22]

More likely 'passwords.doc' (.wps?) considering the type of people that would do that sort of thing. But maybe 'passwords.txt' for someone 'smart' to a point of just having enough rope w/ which to hang their self.

Re:I wonder...

[Bob+The+Cowboy]

This is why I keep my password file encrypted. Any I don't use that standard '.txt' extension either. Mine is 'passwords.rot13'... no one would ever guess that!

Re:I wonder...

Don't worry, I was able to recover your password.txt files from the recycle bin.

Re:I wonder...

[izomiac]

That's why I'm a little more careful and named my password file "nul". Too bad I can never remember where I keep that file...

Re:I wonder...

[apoc.famine]

I do. But it just lists websites and what password# (1-30) it has. The actual passwords are on an index card buried somewhere on my desk. But that card doesn't include the one for this computer, nor what logins go which each.
 
It's the best balance of "easy" and "secure" that I could come up with. If you gain physical access to my index card of passwords, it won't help you unless you can decrypt the contents of my drive, to match password with website. If you can gain access to what # password goes with each website by cracking my system, it still doesn't tell you the password.
 
Not perfect, by a long shot. But fairly easy, and fairly secure. By the way, my username @ slashdot is password #7. Looking at my personal passwords.txt doesn't help you much at all. :-p

Re:I wonder...

[mysidia]

Or Passwords.doc. A lot of folks don't know about notepad (or Notepad++/TextEdit/ScIte/Emacs) and just use MS word for everything.

Flawed

[mcgrew]

an attacker may be able to access files with an already known filename and location

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

Re:Flawed

[radish]

Is this a ploy to get people to upgrade from XP?

I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?

Re:Flawed

[notseamus]

I can see this being a big problem for business users too.

We issue all files to external parties as pdfs/dwfs so they're basically read only, but there's a tracker reference for internal use which is on this, and I've seen this a lot before too, so I imagine that it could expose something that is supposed to be locked away for contractual reasons to being accessed, modified and distributed.

We also use XP, some essential software can't handle 64 bit xp, nevermind Win 7, so we're stuck here for a while at least (or until Microsoft stops supporting XP, and everyone is forced to switch. The sooner the better).

Re:Flawed

[Seth+Kriticos]

I have to agree. I'm open for 4-5 years of long term support for server OS's and very stable versions, but 9 years is just ridiculous.. well, would be normally, but there was not much option after XP for a long while and then came Vista.. go figure.

Re:Flawed

[Dracos]

Well, what blackhat could pass up easy access to anything in C:\WINNT\system32, or the paging file, or any other critical file, from the web?

Re:Flawed

> Has yet to decide whether to repair it?

No, has yet to decide whether to repair it now or wait until Patch Tuesday.

There are plenty of legitimate reasons to criticise Microsoft (like leaving things unpatched until Patch Tuesday) but misinterpreting their statements doesn't help anybody.

Re:Flawed

[Velorium]

No kidding. What's there to decide? If you have it ready and it's something as big as this, just release it. I really don't understand.

Re:Flawed

[rdavidson3]

One more reason not to keep your files in "My Documents".

Problem with that logic on windows 7 is that "My documents" are stored in the "c:\users\xxxxxx\Documents" folder. Now the hacker needs to figure out what the xxxxx is.

Maybe this is different under windows 7 (or any other version) when the computer is not on a domain.

Re:Flawed

[Leynos]

C:\users\%USERNAME%\Documents anyone?

Re:Flawed

[maxume]

It isn't completely unreasonable to start that clock at the release of the most recent service pack.

Re:Flawed

[rdavidson3]

Good point. Mod the parent up for it.

Re:Flawed

[Tikkun]

1. Open Windows Explorer.

2. Enter "%homepath%\Documents" into the address bar and press enter.

3. Profit!

Re:Flawed

[Z34107]

You might not even have to guess the tax-returns folder. I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

Re:Flawed

[maxume]

On XP, cookies are stored in "C:\Documents and Settings\xxxxx\Cookies", so if the path to a cookie can be read, xxxxx is pretty trivial to determine.

Re:Flawed

[mcgrew]

How many of the major linux distros still support versions that old?

We don't have to as it's free, but there would be a lot more if Linux cost $500 ($100 for a "home version" upgrade) like Windows does. Lots of people don't even pay $500 for their computer.

Re:Flawed

[grcumb]

an attacker may be able to access files with an already known filename and location

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

I'd be more concerned about the accessibility of files like Normal.dot - the default MS Word template. Stick an autoexec macro in there, and you'll learn quite a bit about the system.

Re:Flawed

[thePowerOfGrayskull]

No, it's the same back to Win2000. But still - you've got a better-than-fair chance of success if you run a series of values like "john", "pete" for XXX and "password.txt" for the file name.

Re:Flawed

[natehoy]

Actually, in Windows XP, it's C:\Documents and Settings\(username)\My Documents. That's true whether you are on a domain or not. So that is certainly a mitigating factor even back in XP, because a remote attacker is unlikely to know (username).

However, that's not the case on some machines. The default install from most manufacturers is one preinstalled user, who is Admin, with a default username set by the manufacturer. Dell uses "Default" for this, last I knew. So a lot of people are still vulnerable to this. And the most vulnerable to it are going to be the ones who know the least about how to prevent it.

They get their Dell, never see a login, are never aware that their username on the machine is "Default", are never aware that Internet Explorer is not the only web browser or why they should take the trouble to switch, and they use the preinstalled Quicken or MS Money to do their checkbooks. C:\Documents and Settings\Default\My Documents\Quicken\Quicken.qw (or whatever the default filename and extension is for saved Quicken files) would probably get a readable result from around 1% of machines out there, at a guess.

Re:Flawed

[mlts]

XP does not have a protected mode. The next best thing would be to run a virtual machine utility and browse in that. Then when done browsing, close the VM and have all changes rolled back to the previous snapshot. If you want bookmarks preserved, put that directory on another virtual drive that keeps its state (and doesn't get rolled back like the system.)

Barring running in a VM, you can create a non-admin user in XP, switch to that for your Web browsing, and only use that user for browsing. Your sensitive documents and such would remain on your main user.

Re:Flawed

[Carnildo]

I wonder if you could iterate through all possible files/paths inside My Documents and brute-force a listing.

It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

Re:Flawed

[Antiocheian]

Actually it's a reason to stop using a 14-year old browser-OS embedding approach, insecure by design, and switch to Firefox, whatever the operating system. That's the best way to keep you secure on the web.

As for the OS, use the fastest and combine it with a good antivirus and a HIPS firewall.

Which is the fastest OS ?

Re:Flawed

[mcgrew]

Agreed, although maybe not at a $500 price point. If Linux were $100 and Windows was $50, I'd choose Linux. Hell, if Linux was $100 and Windows was free I'd still choose Linux. But if Windows were free and Linux cost $500, I'd bite the bullet and use Windows. Five hundred bucks is a lot of money to me.

Re:Flawed

[jimicus]

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

Some of us are old enough to remember before Microsoft implemented Patch Tuesday. The official reason was simple - companies were sick to death of having new patches to test, deploy and roll out several times a week.

Myself, I take the view that if a company large enough to test, deploy and rollout patches on a managed basis can't institute their own timetable rather than rely on that provided by a third party they have huge problems. But what do I know?

Re:Flawed

[ichthus]

How many of the major linux distros still support versions that old?

How many of the major Linux distros' later releases suffer from a performance downgrade?

Re:Flawed

[initialE]

But keeping your shit where your shit ought to be is a key best practice - you can't reasonably expect to change that now. Imagine if programmers were to throw their files all over the system directories and requiring all kinds of administrator privileges to run. Now imagine users needing the same rights just to get to their files.

Re:Flawed

[initialE]

on all versions of windows, %userprofile% will get you to your home directory - even if you didn't install your windows on C:, have multiple versions installed on the same partition, or tried to obscure stuff in any way.

Re:Flawed

[MobileTatsu-NJG]

It's possible but not practical. A decade ago I did this as part of a proof-of-concept virus; iterating through all possible 8.3 filenames would have taken just under a century.

I know the longer filename support in Windows would take longer to brute force, but wouldn't that also make a dictionary attack more feasible since fewer constraints are placed on the user's naming of files?

Re:Flawed

[plague3106]

What makes you think they don't? You've heard of WSUS, right?

Re:Flawed

[Quantumstate]

I am sure that if Linux and Windows were the same price I would use Linux. I can say this with certainty because I have bought a copy of Windows but I use Linux instead >95% of the time (non-gaming basically). I would probably be willing to pay about £100 for Linux.

Re:Flawed

[frank_adrian314159]

First of all, it took the company who made the OS eight years to come up with a suitable replacement (or, at least six, if you want to count the relatively usable W2K8 server as a replacement for a desktop system), so I only look at the OS as two years out-of-date at most.

In addition, Win7 requires more processing power than XP to gain reasonable advantage over XP, requires the user to learn new UI and administrative skills, and often requires replacement of software and hardware for which no Win7 versions and/or drivers exist. So, essentially you're saying that planned obsolescence is a wonderful strategy that customers should buy into?

Re:Flawed

[drinkypoo]

The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

Re:Flawed

[radish]

I'm going to go out on a limb and say, if you're looking at desktop-oriented releases, most of them.

But I don't consider that a bad thing, assuming that the slowdown is due to useful features and is compensated by an increase in hardware performance. I don't believe that the latest Ubuntu desktop release will work particularly well on a 15 year old PC, and it will certainly feel slower than an OS from that time. Of course it does a lot more, and there's your tradeoff.

Re:Flawed

[Antiocheian]

What do you mean ?

Re:Flawed

[radish]

XP is still being supported, and MS haven't said they won't fix it. I was just responding to the assertion that this bug was somehow an evil ploy to force people to upgrade. It isn't, but if you insist on running old software which is about to become EOL, well you should understand the risks.

Re:Flawed

[maxume]

GP stated that XP is 9 years old. XP SP3 is less than 2 years old.

My point being that there is significant ongoing maintenance, so the software isn't quite entirely 9 years old.

Re:Flawed

[nigelo]

You quoted your parent, so I assume you read what you quoted.

If you had read the next sentence, on the same line, you would have seen:

>Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to.

It would appear that your post is redundant, since you are simply repeating what was already said.

There are plenty of legitimate reasons to criticise parents but not reading their statements doesn't help anybody.

Re:Flawed

[maxume]

Sure. I was pointing out that there is a difference between 9 years with no updates and 9 years (or 7 going strictly by what I said) with significant updates.

Re:Flawed

[maxume]

$300:

http://www.newegg.com/Product/Product.aspx?Item=N82E16832116718

(That's for a full copy of the most expensive workstation edition, not an upgrade)

I suppose some fool payed $500 for it somewhere.

Re:Flawed

[EvanED]

This is very possibly not workable. None of standard C's fopen, C++'s fstream, or Win32's CreateFile function will interpolate the %USERNAME% component; you have to specify the hard path. (This was tested on XP.)

Re:Flawed

[Sleepy]

You're confusing OS with "releases".

I have a system running Debian here, the installation is 12 years old. I installed it once from CD I bought 12 years ago (CheapBytes ).

I continue to get modern support.
I expect you to argue "but you DID have to upgrade the OS", but the point is artifical and moot.
"Upgrades" on Linux are just like "updates", except bundled together.
Doesn't really matter if you get your security updates from an "update" or an "upgrade", so long as you get it.
You have free "new versions" of software for LIFE on Linux.

Nobody holds onto old versions of Linux because they pirated an install key that doesn't work anymore on new versions, or crap like that which is part of the norm.

You don't have to like Linux, but your argument here is a bit "loaded" and in a context that has no meaning in Linux.

Re:Flawed

[petermgreen]

but iirc the sam database has a fixed location relative to the windows dir and on the majority of machines the windows dir is in one of a few places. If you can get the sam file you can probablly read out a list of accounts on the system and make a good guess at the user profile locations (while your at it you can also pass the password hashes to lophcrack).

Re:Flawed

[cbhacking]

Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).

Re:Flawed

[John+Hasler]

> Which is the fastest OS?

Why should I care how "fast" my OS is as long as it is fast enough? There are many more inportant considerations.

Re:Flawed

[mysidia]

Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

XP Users don't have access to protected mode, it relies on features present in Vista's security model.

Mandatory Integrity Control (MIC), a model in which data can be configured to prevent lower-integrity applications from accessing it. The primary integrity levels are Low, Medium, High, and System. Processes are assigned an integrity level in their access token. Securable objects such as files and registry keys have a new mandatory access control entry (ACE) in the System Access Control List (ACL).

* I'm not sure why Microsoft calls their use of MAC with integrity labels "MIC" instead... I guess it's because MAC is a NIH TLA.

User Interface Privilege Isolation (UIPI) blocks lower-integrity from accessing higher-integrity processes. For example, a lower-integrity process cannot send window messages or hook or attach to higher priority processes This helps protect against "shatter attacks." A shatter attack is when one process tries to elevate privileges by injecting code into another process using windows messages.

Re:Flawed

[jambarama]

It isn't like XP hasn't been updated since 2001, sometimes significantly so. The jump from XP to SP1 and SP2 to SP3 - seems more akin to a jump from woody to sarge or etch to lenny. SP3 was 2008, so I wouldn't say XP is really a 9-year-old OS.

Re:Flawed

[TrancePhreak]

Examples.......

Re:Flawed

[jimicus]

What makes you think they don't? You've heard of WSUS, right?

Indeed I have, which is why I can't for the life of me figure out why Microsoft only releasing patches once a month is such a benefit.

The only reason I can think of is that the great majority of businesses by a long way in the UK (and I believe the US) aren't huge businesses. They're the small businesses which employ 5, 10, maybe 20 people. (Yes I know this may be hard to swallow at first. I had a lot of trouble getting my own head around it but I've looked into it in some detail - it's true)

Such businesses are going to have - at most - one server running SBS and possibly some sort of agreement with a local chap to provide support and they're certainly not going to run WSUS.

Re:Flawed

[mcgrew]

Still too expensive.

Re:Flawed

[Bungie]

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

It is sometimes better when your files are stored in a standard location like the documents folder. It's so frusterating when you attempt to backup or transfer someone's documents and they're not in the documents folder. A lot of tools (like Windows Search) also assume that's where your documents will be. XP System Restore treats almost anything outside of the documents folder as fair game and might even replace them from a snapshot when you use a restore point.

Guessing the contents of the documents folder is not as easy as you think. Everyone has their own organization and naming scheme.

Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

It's not a ploy to force upgrade, it is simply a limitation of XP's decade old design. Implementing Protected Mode in XP would require massive changes to the operating system. Not only would they have to implement core things like Mandatory Integrity Control and User Interface Privilege Isolation, but they would have to update all of the system libraries and applications to support the new security model. Even if they did do it all, there's no guarantee that they can just bolt it over all of the existing XP installations without problems.

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

There are no attacks in the wild right now. Once the patch is released, people will reverse engineer it and create attacks. Out of cycle also creates headaches for enterprise because it is unplanned and they will have to test and deploy it separately.

Re:Flawed

[mcgrew]

It's so frusterating when you attempt to backup or transfer someone's documents and they're not in the documents folder.

There's an old saying, when you assume you make an ass outa u m e. Assuming someone's documents are where Microsoft says they're supposed to be is an incredibly stupid assumption. If you're backing someone's files up, ask them where they keep them.

A lot of tools (like Windows Search) also assume that's where your documents will be. XP System Restore treats almost anything outside of the documents folder as fair game and might even replace them from a snapshot when you use a restore point

Well, that's the sort of behavior that makes me dislike Microsoft products. An intelligently written, non-arrogant program wouldn't make that sort of stupid assumption and that sort of thinking is a major reason I didlike most MS software.

c:\Windows\System32\

[LikwidCirkel]

Hmm.. the most obvious predictable file names are conveniently the most dangerous for someone to have access to.

Re:c:\Windows\System32\

[hellraizer]

hijacking dns through hosts.txt has never been as easy :D

Re:c:\Windows\System32\

[eln]

The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

Re:c:\Windows\System32\

[radish]

Except as far as I can tell from the advisory, the files are read only.

Re:c:\Windows\System32\

[pipatron]

Actually, a very important distinction of the word "access" was not mentioned. This flaw only seem to give read access to the files, so you can not just modify any file you wish.

It's still a major security flaw, of course, but will be slightly more difficult to exploit. It's great for targeted phishing though. You'll be able to find out a lot about the target.

Re:c:\Windows\System32\

[hawaiian717]

C:\windows\system32\config\sam

Read-only access is all you need...

Re:c:\Windows\System32\

[Z34107]

That's why I install the Windows OS on my Z drive.

Then you're running a vulnerable operating system. For compatibility with brittle programs, Vista and 7 label whatever drive they booted from "C."

Re:c:\Windows\System32\

[WillAffleckUW]

yeah, it's not like there are stored connection strings to databases ... um ...

Re:c:\Windows\System32\

[amicusNYCL]

What's a hacker going to do with a message which says "Error opening 'C:\Windows\system32\config\SAM'."?

I'd like to see exactly what's stored in that file, but sadly I can't access it with my admin account.

Re:c:\Windows\System32\

[Sleepy]

That's not the case.

It's not like memory dumps don't ever get dumped there if you had an OS crash, and it's not like memory dumps would ever contain user data like user passwords. There's user data in there. Where does the REGISTRY get saved???

This is BAD.

Re:c:\Windows\System32\

[EvanED]

C:\windows\system32\config\sam
Read-only access is all you need...

And I'm sure that'd work real well:

C:\WINDOWS\system32>echo %USERNAME%
administrator

C:\WINDOWS\system32>c:\cygwin\bin\head config\sam /usr/bin/head: cannot open `config\\sam' for reading: Device or resource busy

C:\WINDOWS\system32>type config\sam
The process cannot access the file because it is being used by another process.

Re:c:\Windows\System32\

[Idiomatick]

symbolic links still fuck you over so that adds 0 security.

Re:c:\Windows\System32\

[petermgreen]

For compatibility with brittle programs, Vista and 7 label whatever drive they booted from "C."
No vista labels whatever drive they were installed on C and break horribly if that mapping is lost (say by sliding the partitions arround with gparted to move the freespace from one partition to the next) ;)

If you have UAC disabled things work just about well enough to launch regedit and fix the mappings. If you have UAC enabled then you'll need to boot another windows install launch regedit, load the registry from the broken install and edit it.

At least that was the situation with vista with no service packs, I haven't tried it with later vista service packs or win7.

Re:c:\Windows\System32\

[RichM]

c:\Windows\ntuser.dat

Been a while since I ran Windows but I believe that is what the Windows Registry file is called.
If you can dual boot into a modern Linux with NTFS write support and mount the Windows disk, you can change the "ntuser.dat" file for another one that you gained from illegal means.
Obviously, the registry will contain all kinds of data on your hardware so it might not work but *in theory* you can just boot into Windows, start Internet Explorer and have instant access to some rich guy's bank login.

Re:c:\Windows\System32\

[dissy]

The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

One word: Registry

Re:c:\Windows\System32\

[Culture20]

Except as far as I can tell from the advisory, the files are read only.

Including local account password files. A little brute-force comparisons, and they've got administrator. Hopefully SMB's not open.

Re:c:\Windows\System32\

[radish]

Sure, except that bank logins aren't kept in the registry (at least not by any browser I know of).

My point wasn't that this isn't a big issue, it's that specifically the act of editing the hosts file to perform DNS spoofing isn't possible as you can't edit the file, only look at it. There are still plenty of bad things you can do given read access to system files :)

CVE-2010-0255

Core Security Advisory FTW

WHY THE FUCK DO PEOPLE STILL USE IE?

This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?

We KNOW it's full of holes. Not just small ones, but literally, gaping goatse-sized holes. This is a perfect example, to go along with the hundreds of other problems we know of.

There are so many alternatives today! We are living in a time of plenty when it comes to browsers. I mean, we have Opera that runs just about everywhere. We have Firefox if you want extensibility. If you prefer the feel of the old Netscape Communicator suite, there's Seamonkey. If you want a fast browsing experience, use Chrome or Safari or Konqueror.

Legacy ActiveX controls just aren't enough of an excuse these days. If you're still using that piece of shit "technology", then you need to get your network off of the public Internet. You and your network are nothing but a disaster waiting to happen.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[calmofthestorm]

I read about vulns in Firefox pretty often too. Granted, IE's tend to be stupider and MS's policy of ignoring vulns until they're shoved in their faces with an in-the-wild exploit (and then only patching once a month) is pretty awful, but it's not like other browsers are a magic bullet.

That said, i wouldn't be caught dead using IE, nor let friends or family do it.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[LikwidCirkel]

If you give people a free car with houses, that "works" enough to get to A to B, then how many people will make the effort to get a different free car if they're not aware that there is anything wrong with the first one?

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[gstoddart]

That said, i wouldn't be caught dead using IE, nor let friends or family do it.

I can't even begin to tell you the number of sites required by my previous employer that required IE, and there's always a couple here and there that want ActiveX or what have you.

I do 99% of my browsing in a Firefox with noscript installed and a fairly locked down policy. I have found I pretty much need to keep an IE laying about for those really stubborn sites which require it, and which I'm willing to use.

Generally, I agree with you though. I just can't seem to find it feasible to completely not have it, unfortunately. God knows, I've tried. :-P

Cheers

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[c_sd_m]

The OP's point was closer to "if Fords were free, how many people would bother to buy Hondas?"

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[sakdoctor]

You found sites that still need IE? Here in 2010?

If a site needs IE today, I don't need that particular site.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[sopssa]

If a site needs IE today, I don't need that particular site.

Good luck trying to tell that to your boss.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[sopssa]

It doesn't work like that. There are billions of sites on the internet. If your site doesn't work with them, they go somewhere else. And it would be quite stupid to ignore a browser that holds the largest market share. Sad, but true.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[sopssa]

Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.

Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[mlts]

Devil's advocate: The parent AC post stated one of the biggest reasons why IE is prevalent. The other is that IE is part of the OS. Because of this, it is already vetted by the legal eagles, the licensing bean counters, and the other muckety-mucks you find in larger companies. There is no need to get IE approved as part of an official corporate image, because it is present, like it or not. So, companies tend to use it because it is there, it has decent security on Vista and Windows 7 (especially combined with DEP), and can be controlled by GPOs.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[zonky]

There is the community edition which does have these, but i totally agree, while Chrome or Firefox don't ship a version with group policy i'll never understand.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[jimicus]

Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.

"Understands" is a bit of a strong word. While Group Policies solve a lot of problems, PowerShell should have been developed about ten years earlier.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[cbs4385]

I work in the US Health Care Industry, principally making tools for hospitals to use a patients electronic health record. The majority of our clients are forced into using IE6 by their IT departments.
There's a reason I use my HIPPA rights to make sure my records only live on paper.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Sancho]

Sure. But then we're probably talking about home computers. I don't ever use IE for personal work. If I have to use it for work, it's on a company computer.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[kent_eh]

The only work site I have to use that says "IE Only" works just fine in Safari.
Or FF with the IE Tab plugin (though technically that's still using IE)

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[suomynonAyletamitlU]

That analogy doesn't work. You can't pass someone using IE on the internet in your gleaming, super-fast browser, then accelerate off, leaving them in a cloud of dust. Nor do they have to park their dingy, sputtering browser in a parking lot where theirs is the ugliest car. They don't even notice that many sites had to adjust their parking lots when they could fit more cars in.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[thrawn_aj]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all (as per their policy as well - dunno if there's a hack that can do this). So, I have IE for Netflix and FF for everything else. Actually not a bad deal as I've set IE to open Netflix logged in - that way it works just like a TV ;-) with the browsing kept to the TV guide minimum.

In fact, any ideas on getting around this would be appreciated.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Jim_Maryland]

My employer has a web based time reporting system that is only functional in IE. I used to be able to make it work with Firefox but they've modified it to only work with IE now. If I want paid, I need to use IE for that. Some of the training courses are also IE only, but for everything else, Firefox is my default browser.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[mrclisdue]

The OP's point was closer to "if Fords were free, how many people would bother to buy Hondas?"

erm, except that, in plain text, the OP asks (emphasis mine):

how many people will make the effort to get a different free car if they're not aware that there is anything wrong with the first one?

So, I'm stumped as to how your "buy Hondas?" is closer to the OP's "different free car" than a FREE Porsche.

cheers

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[toadlife]

The effort required to download and install a third party browser is the cost.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Blakey+Rat]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all

It won't? What the hell have I been doing for the last 6 months?! I must be delusional.

Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[EvanED]

Try going to windows update without IE.

Would you people stop saying this? Windows Update hasn't used IE for years. It became a standalone app in Vista.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[toadlife]

It's not just group policy. For Firefox, the lack of an *official* .msi installer is a big hangup in the corporate arena. Windows users have been asking for an msi installer for years now and I cannot understand why the Mozilla team has chosen not to do one. Even though perfectly functional third party .msi solutions exist, lack of an official .msi package is a deal breaker for many organizations with PHBs or overly paranoid sysadmins.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[AHuxley]

Name and shame, list them and a link to their 'about' page.
Write your own "Unsafe on any network"

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Idiomatick]

IEtab https://addons.mozilla.org/en-US/firefox/addon/1419

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Idiomatick]

FF is free so... mcgrew's analogy is more accurate.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Idiomatick]

IE 6 no longer holds the most market share. And late IEs are mostly standards. Or at least coding to standards won't fuck them up. The problem comes when designers code things that ONLY work in IE...

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[hairyfeet]

I agree, although I no longer give Noscript to my family and clients as its too complex. Somebody really needs to fork Noscript and put an 'easy mode' on it, with just one button that says "play video" as that always seems to be the hangup.

For those of you that want to get relatives off IE, as a PC repairman with a so far 90%+ success rate at getting folks off IE I'll let you in on my secret. Don't talk security, it just makes them think it is more complex than it is. Instead install Firefox with ABP and here is the deal maker....install ForecastFox set up to be placed on the Menubar set to their zipcode. Folks really like having the three day forecast and the radar right there at the top, makes it easy to plan for the next day, and when you tell them it will pop up a warning when weather alerts are issued for their area it just seals the deal.

I have found that since the majority of malware these days comes from infected ads that giving them ABP cuts down infections by a good 80-90% without the complications of Noscript (which non tech users I've found get frustrated and end up disabling it anyway) and by using this method I have not only had great success converting folks away from IE, they will even call me when visiting relatives to tell them how to "get rid of that blue E junk" and install Firefox. I figure the more folks we have using a better browser that autoupdates the better we ALL are, so I hope this helps others to do their part in killing the awful that is IE, especially on XP where it has zero security.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[hairyfeet]

Uhhhh...You DO know that Frontmotion offers a Group Policy Friendly Firefox, yes? That they even offer a Community Edition for Group Policy support, and a Firefox packager that lets you even bundle the extensions you desire.

One of the nice things about FOSS is if there is a need the parent company refuses to acknowledge then someone else is free to take that problem on and release their own version.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[DJRumpy]

Irrelevant for this issue, as it appears to affect all versions of IE with Win 2000, XP, and Server 2003 affected. From TFA:

"The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said."

Unless someone is running Vista, or Win 7, they are at risk.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Idiomatick]

The thread was talking from a site designer POV. Assuming you aren't virusing your site to infect people than the issue doesn't matter. Though I suppose that makes the thread pretty off topic.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[nschubach]

Shh.... I like being able to use Firefox portable at work to get around silly restrictions!

(actually, my work has a fairly secured proxy and firewall that doesn't depend on browser based limits...)

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[lgw]

Vista? Does anyone use that? Windows 7 is still fairly new, and I haven't bothered to update my XP box to 7 as there are still problems with some games. It will be a few year before older PCs finish the migration from XP to 7, I'm afraid.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[piemcfly]

WHY DO PEOPLE AND BUSINESSES STILL USE IE?

Because many online / network services won't work outside of IE.
At one of my temp jobs I had to work with a hotel management service that only ran on MS IE (v5, no less)... I had a good laugh when IE got fuxed up by some wonderful bonzibuddy toolbar variant thingy because one of my colleagues had managed to click one too many 'yes' buttons in popup windows.
Then I had to do all the administration by hand and couldn't access the billing system and didn't laugh anymore.
Of course, the day after it was fixed, somebody had installed the google toolbar as if nothing had ever happened. /fail

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[thrawn_aj]

Alright! Jeez...way to make a federal case out of it. Do I at least get a last meal before the chair? :P Do you like ... work for Netflix or summin? ;-)

But seriously, I guess I tried a while back, got the response I talked about before from Netflix and just didn't try again after that. My bad. I will now proceed to slash my wrists for being *shudder* wrong on /.

That said, I believe I'll stick with my current setup. A completely stripped down IE is actually quite fast considering all the extensions and RSS feeds I have in FF.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[apoc.famine]

I've been lucky enough to be able to say, "Fuck IE" for the last half-dozen years or so. I did pass up some job opportunities because of it. Stupid? Perhaps. But I was in a position where I could. And it didn't burn my ass in the long run, so I guess I did ok.
 
I've sent out a bunch of emails ripping shoddy website design of places which required IE. If you can hit the right person with a "The fact that you're incapable of deploying W3C standardized code on your website makes your organization look incompetent and poorly run" it stings pretty damn well. I managed to get a couple of "You're right, but we can't because.....(insert some vendor or other-part-of-the-company excuse here). My reply was always, "I'm sorry to hear that. Unfortunately, I'm not interested in working for/doing business with a company which is that unprofessional and disorganized."
 
I actually managed to see a couple of changes after correspondence like that.
 
But like I said, I was in a damn sweet position where I could do that. I recognize that a lot of people aren't.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[kimvette]

This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?

Because they're addicted to the crack that is Microsoft groupware? Granted, Microsoft Exchange still offers the best (from a user's perspective, NOT the sysadmin's) integrated email/calendaring/task/contact/public folder groupware package out there, and it's tied pretty tightly to MSIE if you want the full-feature webmail client. Sharepoint is tied even more exclusively to MSIE unless you want really crude functionality. Scalix and Zimbra have closest to closing the gap in functionality between Exchange and $OTHER_GROUPWARE but there is still a very long way to go.

Not only that, Visual Studio makes it so darn easy to crank out web apps now and Microsoft is almost willing to give away the development environment (heck, they do offer pretty full-featured IDEs for .NET now) to maintain their entrenchment.

That's not to say that Microsoft is a good solution; for uptime/reliability and scalability it falls way short. You can build load-leveling and failover clusters (I've been there/done that for enterprise-level clients) but it's far more expensive than *nix clustering solutions, requiring more complex storage designs, and it still won't match the scalability of any *nix groupware platform. However, even taking those shortcomings into account (INCLUDING the risk of a worst-case failure like a broken info store, which does happen from time to time even with proper maintenance/best practices) it's considered worth it (risk and licensing cost) given how good the end user experience is.

Until there are truly AWESOME groupware (I'm talking end user experience here, not sysadmin concerns) and IDE alternatives rise, Exchange and Visual Studio will continue to dominate, and naturally high MSIE market share will follow.

Sure, open source alternatives will work for some, but who wants to deal with CALDAV in thunderbird+lightning and the like when Exchange+outlook and Exchange+MSIE "just work" from a usability perspective?

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[mysidia]

It's more like buy a Ford, get a Brand X GPS for free (included in the Ford). The Brand X GPS keeps getting flaws discovered that allow random people with a handheld transmitter, to confuse the GPS into giving directions to their store instead of your intended destination.

Another brand, the "Brand F" GPS is 10x better, has expandability, and generally can't be confused that easily.

The "Brand F" GPS is also free, but is not included with your car, you have to navigate to the Brand F download site to get it, and then install it yourself.

Oh yeah... and generally, if you want to use the Brand F GPS, after a clean install you only have the brand X GPS, so you will need to use the brand X GPS to find your way to the "Brand F" GPS download site.

The Brand X GPS has plenty of opportunities during that trip to send you positive cues indicating the high quality of Brand X... such as presenting you with 'security options' and wizards to walk through, by the time you are finished, you will have forgotten about "Brand F".

Moreover, your computer doesn't come with any instructions about "Brand F", you have to learn about it through separate sources.

Naturally... more people are aware of Ford's existence, than "Brand F". So it could be a natural result that there are plenty of Ford users, and relatively few have swapped what they believe to be a "High quality Ford GPS" for some off-brand label like "Brand F".

Brand F might be superior, but we're specifically referring to people who are unaware of that fact, or who have insufficient experience to be convinced --- and insufficient trust to "try it" (fear it might break their computer), or lack of understanding of the procedure required to try it.

Installing software is too technical... oh, besides, corporate policy: "Don't install software. (even major free/open source products)"

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[indi0144]

PrntScrn???????

What a dumb ass web designer.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[indi0144]

mod up, informative

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Z00L00K]

A major difference is that IE is integrated deeper with the operating system, which means that flaws in IE can go deeper and have more serious effects.

But the core problem lies in the fact that applications aren't normally started in an isolated sandbox with controlled access to the surroundings but with the access of the logged in user. So an user with full privileges will always get all apps having full privileges too, which they normally doesn't need.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[RMH101]

Case in point: MS's own Outlook Web Access requires IE for the "full" version. No tasks etc visible on the "lite" version presented when you use any other browser.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Bungie]

You found sites that still need IE? Here in 2010?

In the corporate environment a surprising numer of internal web based applications are dependent on IE. Fixing the software may require buying new versions and licenses, or even having to hire developers. Many departments will drag out the life of software as long as they possibly can before they have to spend money. Since the web applications are only used internally (and accessed only by their workstations), they can get away with having IT keep the older software on their images (for free).

For example, one of the companies I did contract work for just finished fixing some of their internal applications so that they no longer require the Microsoft VM to run properly. For them, it was much easier to keep the MSJVM installed on all of their workstations than to find and remove the J++ specific code in their web apps. The MSJVM has been depreciated for over a decade, but if Microsoft hadn't ended MSJVM support in June, they probably would have left it all alone.

Even worse, those kinds of applications are probably the ones you need the most!

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Penguin+Follower]

Of course, MS does that on purpose with OWA... :(

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Bungie]

A major difference is that IE is integrated deeper with the operating system, which means that flaws in IE can go deeper and have more serious effects

Internet Explorer is just an application and a set of libraries. They are included in the OS and reused in many places, but they cannot do more than any other user application. If iexplore.exe crashes it doesn't mean it will affect explorer.exe just because they both use mshtml.dll.

But the core problem lies in the fact that applications aren't normally started in an isolated sandbox with controlled access to the surroundings but with the access of the logged in user. So an user with full privileges will always get all apps having full privileges too, which they normally doesn't need.

Vista and newer Windows versions implement application integrity levels which run applications in a lower privilege level than the logged in user. When a user runs Internet Explorer (with Protected Mode) it actually runs under a very low integrity level which does not allow writing to user files. It is restricted to writing to special versions of folders like Cookies and Favorites, and must use broker processes to do anything that requires elevated access.

Holy Flashback, Batman?!

[__aaclcg7560]

The last time I dealt with "protected mode" on a 80286 CPU when DOS ruled the world. I had an ISA memory card that could page memory above the 1024K limit for applications or as a RAM drive.

Re:Holy Flashback, Batman?!

[Cro+Magnon]

My first thought when I saw "Protected Mode" was that anyone who is still using an 8088 deserves to get pwned.

Re:Holy Flashback, Batman?!

[maxume]

Every modern OS that runs on an x86 runs in protected mode.

But this is something else (A sandbox present in Vista and later versions of Windows).

Re:Holy Flashback, Batman?!

[Z34107]

"Protected mode" is a marketing term meaning IE takes advantage of Vista's new permissions model. It means it's a low-privilege process and has most of its file system access effectively jailed or redirected.

Long-winded article here, but I'm guessing the hack doesn't work in "Protected Mode" because the browser itself doesn't have much file system access.

my documents, downloads, photos,

[revboden]

Huh... what folder names are on almost all MS machines?.. yea that's a hard one

You mean like

[deliciousmonster]

c:\windows\system\kernel32.dll?

I'm really getting sick of this excuse

[apparently]

"The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"

Re:I'm really getting sick of this excuse

[should_be_linear]

or maybe registry DB. There is lot paths to various documents there...like recently used etc.

Modifying hosts.txt

[Jorl17]

Modifying hosts.txt could be one of the biggest issues with this one. And yet, it's just another flaw much like there are hundreds of others in any browser.

Re:Modifying hosts.txt

[natehoy]

Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.

Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to the juicy stuff. And that's just not all that practical in a remote attack scenario. Most of the truly known paths just don't contain a lot of common filenames that are unique and contain important data.

Still, Protected mode in Vista and above protects you, and the bulletin shows a workaround for Windows XP (set the file:// protocol so it can't run ActiveX even locally).

And there's always a better browser, which would be defined pretty much as anything without ActiveX. But that's a given.

Re:Modifying hosts.txt

[Jorl17]

You are correct and I should be shot ;) Either way, other flaws which allow this are equally dangerous.

Re:Modifying hosts.txt

[natehoy]

No, the security advisory should have put "read-only" access as one of the mitigators. I'm frankly surprised it isn't, since that's a pretty severe mitigating factor. Most of the files you'd really want a copy of (Quicken, Money, etc) are located in the harder-to-predict user folders, and the files you can find easily would only be useful if you could alter them.

They strongly imply that the attacker has the same level of access to the files that the local user does, which when you read the actual attack methodology just ain't so.

The attacker only has access to files that the local user has access to (this is not an access escalation attack), but the actual method used to get the file looks like it couldn't be used to put anything back.

Still and all, there is a workaround for XP users that I'd strongly suggest looking at, and Vista and Seven users should be running in Protected Mode.

Re:Modifying hosts.txt

[ZachPruckowski]

Actually, this news story suggests that you have to have certain HTML/JS files planted in the user's shared folder for the flaw to work. So it's even less dangerous than implied (not that you shouldn't worry about it).

Re:Modifying hosts.txt

[natehoy]

http://www.microsoft.com/technet/security/advisory/980088.mspx

When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.

Oh, one other useful bit from their stie... that everyone should stop using IE. Now.

I'd also add to only run a browser that has something like NoScript available. Javascript is just chock full of vulnerabilities of its own. Any time you allow strangers to run code on your computer, you are just asking for trouble.

But by now that goes without saying, and I've already said it until I'm blue in the face, and I've given up. Don Quixote is cut out for that sort of thing, I'm not.

If you use IE in Vista or Seven, turn protected mode on. If you use IE on XP, load the file:// protocol fix outlined at Microsoft's site. Hopefully Microsoft will come out with a fix soon. Load it. Immediately.

This may not be a serious vulnerability, but the vector will surely be used for more serious ones real soon as the black hatted assholes figure out how to read your file index and get a list of files to choose from.

WinNix

[zerointeger]

NEW IMPROVED SECURITY IN WINDOWS VERSION 99999!!! *Slipped in a BSD *nix based OS under our fancy gui*

Only under certain circumstances.

[140Mandak262Jamuna]

There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

Re:Only under certain circumstances.

[mcgrew]

The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

I'd say close to 100% of the people who work for Microsoft, all of whom I'd guess are on slashdot.

Re:Only under certain circumstances.

[natehoy]

Right, but they are all running Windows 7.

My company runs XP, and provides IE6 by default. So did my last two companies. Not that I use IE for anything but the Intranet, but most people still use it for all their browsing needs.

Re:Only under certain circumstances.

[deadhammer]

The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

How many slashdotters' parents do that? I'd say a good deal many of them.

This affects more than just you. Or maybe it does affect you: what's your setup at work like?

Re:Only under certain circumstances.

[SpaceLifeForm]

Well, that would explain why it takes Microsoft so long to fix these flaws.

Re:Only under certain circumstances.

[farlukar]

There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

All the slackers browsing the intarwebs from work?

Windows.edb = windows search index

[electrogeist]

If they grab the windows search index file then they'd have a map to everything else?

get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

Re:Windows.edb = windows search index

[Gadget_Guy]

If they grab the windows search index file then they'd have a map to everything else?

Which is why they lock down the security on those files so that you can't access them. On Windows 7 I can't see anything below \ProgramData\Microsoft\Search\Data. I don't have search on XP to see the permissions there. I would imagine that even if you have permissions to see the files, they would be open in exclusive mode by the search service.

My filenames:

[stimpleton]

Hi have tourettes. This manifests in two situations, when ordering at a drive-thru and, oddly, when coming up with a file name. I think I am safe from this attack: whoreShitSlittySlutFuckCrevice.rtf

Re:My filenames:

[dtolman]

Uh oh - I have the exact same filename. Best to change them to some really unguessable (and horrific) file names: MyLittlePonyRules.rtf IHeartStrawberryShortcake.xls MadeleineAlbrightNaked.jpeg

Note to self: buy iPad soonest

[WillAffleckUW]

Hmmm. Looks like I might have to buy an iPad sooner than I was expecting.

Re:Note to self: buy iPad soonest

[ColdWetDog]

That time of ....

Sorry, never mind.

Firefox Mode

[markalot]

I run IE in Firefox mode, so I think I'm protected. ;)

In other news

[Com2Kid]

If you purposefully disable security features, you become more vulnerable to security exploits!

Duh.

Question

[ShooterNeo]

Couldn't you access some kind of index file that would allow you to find everything else? Or are those files too low level for it to be accessed this way?

Re:Question

[electrogeist]

That's what I was thinking...
http://tech.slashdot.org/comments.pl?sid=1537550&cid=31026330

Known file names?

[WoodenTable]

Hmmm. Does that mean I should rename the passwords.txt file I have on my desktop? Maybe something like kittens.txt? That sounds more secure to me. What do you think?

financial information vulnerable

[commodoresloat]

That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

Oh shit ... hackers can find out how broke I really am!!

Hmm, how about the document search index?

[Jason+Pollock]

Because there isn't an easily found, well known file that is a handy index of all of the files on your system:

\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

http://en.wikipedia.org/wiki/Windows_Search

Re:Hmm, how about the document search index?

[Hurricane78]

Wouldn’t that file be pretty huge? (No Idea. No Windows here.)
Also: There is no C:\ProgramData. (At least in XP.) Did you mean $HOME\Application Data, or C:\Programs?
Or is that a Vista thing?

Re:Hmm, how about the document search index?

[StikyPad]

If you already know what files to look for in the index, then you know what files to look for without the index.

If you *don't* know what files to look for, but instead want to peruse the list manually, then this is a poor choice of attack vectors since it requires the user to revisit your site at some point in the future.

Re:Hmm, how about the document search index?

[Dysproxia]

On Windows 7 the c:\ProgramData path exists. On my system the file is over 200 MB, you can't enter the Data folder without UAC asking for confirmation, and the file is in use so it can't even be opened (usually).

You mean like...

[Sfing_ter]

You mean like...
C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
hmmm...??? like that?

I can see it coming....

[Asadullah+Ahmad]

If things keep going like this regarding Microsoft and clever words, pretty soon this will be on Slashdot:

"Microsoft has announced that it is investigating a vulnerability in IE where an attacker can gain access to customer's computer if they are connected to Internet. But as all versions of Windows do not have internet access by default, most users are not vulnerable"

.

Understanding Protected Mode

[Bacon+Bits]

Protected Mode is the "sandbox" feature present in IE7 and IE8. It uses UAC that's in both Vista and 7 to run in an even more limited fashion, but not in XP. If you've got UAC disabled, you're not running Protected Mode and you're vulnerable. There are other ways which Protected Mode can be disabled.

It's best to check out the blog entry on the MSRC and the Knowledge Base article.

We now return to your regularly scheduled Microsoft bashing and Linux referrals already in progress.

Or...

[Dorkmaster+Flek]

How about the system doesn't allow the fecking web browser to read your personal files? The purpose of My Documents is to have an easy space to store everything and keep it organized. How is the solution to this ridiculous bug to not utilize such a useful feature?

Re:Or...

[mcgrew]

How about the system doesn't allow the fecking web browser to read your personal files?

Come on, man, it's Microsoft we're talking about!

Re:Or...

[EvanED]

How about the system doesn't allow the fecking web browser to read your personal files?

That's somewhat what protected mode does.

Pesky NTOSKRNL.EXE

[fibrewire]

Nobody knows where i keep THIS file.

Seriously?

[pclminion]

So you turn off something called "Protected Mode" and you're surprised that this may cause problems?

Re:The dreaded passwords.txt

[MichaelSmith]

Even doing something like your name / word + some unique number + some random color is enough for a decent password. (caps on one side of the number)

Oh come on. That will never work for my mother. She is lucky if she can avoid losing the slip of paper her password is written on, even if the password is her birthday.

Another reason...

[hesaigo999ca]

Another reason...why not to use IE, ....EVER!

Re:Another reason...

[RichM]

Given their security record over the past week and several internal insights (see comments) into how their company operates, you would have to be happy to part with all your private information to run Windows these days.

Steel files?

[syntheticmemory]

So that's what happened to my 8" bastard mill file.

slackware

[malignant_minded]

slackware does

What kind of access?

[Gri3v3r]

If it is possible to modify others' files through this flaw, what keeps someone from injecting code into an executable and change a highly-used shortcut? The curse of the large userbase...

Hmmm

[the+eric+conspiracy]

IE gives attackers access to files stored on a PC

This is news?

NoScript isn't really "complex"

[mister_playboy]

If they are savvy enough to disable the NoScript add-on, they are savvy enough to pick Allow this website when a video won't play. It's hardly "complex". Annoying? sure... but getting infected with something is a whole lot more annoying.

You give up a bit of convenience for safety, there's simply no way around it.

Re:NoScript isn't really "complex"

[hairyfeet]

The problem is they call me to tell them how to disable it, after spending 20 minutes getting frustrated because they have no idea which of those dozen scripts is the right one. Now surely it can't be that hard to scan the page, look for the *.flv or *.mp4 and give the user an easy "play video" button, followed by an "advanced button" sitting beside it if there are scripts besides the video?

Sadly I am not a coder but what I am thinking of would NOT lower security, nor take away features from the user, simply give the less advanced user a less advanced option to make their usage a little easier. The geeks would simply have to press a single button in options to keep the advanced (read regular) menu, while the less tech savvy would have a single button that says "play video" and a single button that says "advanced" where it would pop up the regular menu when pressed. Because I have seen pages with video where the Noscript list of blocked items nearly extends off the page, and having to click those one at a time until you trip over the right one is frustrating. I just think it needs to be a little easier for the average Joe to use, that's all.

System files out in the open

[Cyberwasteland]

"The vulnerability requires that an attacker knows the name of the file they want to access, according to the company." Fat lot of good that does, all the files that are important to your *system* are all named the same on any Win computer, they could do some serious damage that way. Not to mention they could use those files to easily find every file on your computer due to indexing.

Re:System files out in the open

[Squeakstar]

would having a bitlocker encrypted drive make a bit of difference to this flaw?

Sites that require IE? Name and shame them!!

[Zaiff+Urgulbunger]

I can't even begin to tell you the number of sites required by my previous employer that required IE, and there's always a couple here and there that want ActiveX or what have you.

It's 2010. Can you list the sites here, and I'm sure someone will "evangelise" them into updating! :D Seriously though - please do list them!

HIPAA

[justthinkit]

There's a reason I use my HIPPA rights to make sure my records only live on paper.

That would be your HIPAA rights.