Slashdot Mirror
New IE Zero Day
RebootKid writes "Microsoft has released a notice about
a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"
If you felt the story was newsworthy, I have no doubt that it was submitted in a form that was better than this one, or that you could have re-wrote it.
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
What security features can you add with EMET?
Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)
Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?
The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg
And this is noteworthy why?
Because a significant number of people on Slashdot are security geeks and enjoy learning about exploits, or are sysadmins that manage at least some machines where the users can get to IE.
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Firstly, a serious security vulnerability in a popular (for whatever reason) software tool is always noteworthy, if just for the fact that it's interesting. Secondly, the overall state of IE is large enough to affect everyone in some way or another. And finally, numerous people here administer systems or have friends and family that may run or require Internet Explorer, and such a bulletin could certainly prove useful to them to prevent this attack from damaging those they (are paid to) care about.
It irks me that there are better options than Explorer readily available, but so many people just don't care enough about their own security and privacy to avail themselves of those options. It's not like paying through the nose for an anti-virus product: these things are free to use! I feel less and less sorry for Explorer users every day, having heard all the excuses ("it doesn't look like Explorer, my favorite free-malware-site doesn't like it, it's too hard to install, I'm too stupid to use a computer, and so on ad infinitum.) It's not as if the likes of Firefox, Chrome and Opera are hard to find, or aren't in the public's eye nowadays. Hell, a few months ago a major U.S. bank issued a warning recommending that its customers eschew Explorer in favor of anything else and further recommended that any online banking be done in anything but Windows (preferably Linux/Unix.) Of course, the month after that they made another public statement to the effect that they would only support Internet Explorer (note: they didn't follow through on that threat. I got the distinct impression that it was a "left hand doesn't know what the right hand is doing" situation.)
I've met smart people who think that Internet Explorer is the Internet. They don't know or care what a browser is. Technology, Internet included, is just another tool, and it needs to work correctly. To tell someone like this to get another browser is not feasible; without a long explanation, they will never like the idea of switching from something that is (or appears to be) working to something different.
Approaching someone and taking the time to explain the situation and answer their questions is the only way to make a transition sit comfortably with them. Unfortunately, people "in-the-know" don't have the time or desire to address the remaining population. The best effort I've seen to address the non-technical public is Google's "get a faster browser" button on their home page, and even then I've heard those who say "well, mine is fast enough". Someone has to explain things and answer their questions.
I've encountered pretty popular attitude that viruses only exist on shady websites (e.g., gambling, and porn) and that caring about or addressing security is not only unnecessary, but also an admission of one's intention to visit such sites. Once again, the only way to break past this is to take the time to sit down, explain things, and answer questions.
Short of prosthelytizing nerd squads going door-to-door, there's not much that can be done. Microsoft got themselves into this biased market mess by aggressively pushing IE and locking out other browsers, and they are wholly responsible for keeping their shit together. Maybe someone should sue them for damages.
Also, keep in mind that serious flaws have been found in Firefox, Safari, and Chrome. IE, like Windows, is targeted more heavily than other browsers due to its market share. If IE is ditched en masse, I would bet money on the number of flaws in other browsers growing significantly higher. This doesn't absolve Microsoft (see previous paragraph), but it does suggest that the problem is larger than IE and attitude.
Microsoft has released a notice about a new zero day attack against Internet Explorer.
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Weeellllll, that's the stereotype, sure, but the on-the-ground reality paints a different picture.
Surely you've noticed that Firefox 3.6 is up to its 13th point release since January,and #14 is just around the corner. The first Secunia security advisory for this browser was issued within weeks of its initial release, and there now have been 11 in total, covering 85 separate vulnerabilities in Firefox 3.6. Look at SA42517 for an example, which was published two weeks ago. In that one advistory alone, 13 different security bugs are addressed, covering a wide variety of attack vectors like large Javascript arrays and large parameters to document.write(). And when you look at the fixes made in source control to patch these bugs, you sometimes scratch your head and wonder, how the fuck did they miss that when coding it?
But the problem with Firefox is worse than that. On Windows and Mac OS X, users are prompted over and over again to install these point updates. It requires elevation to Administrator privileges, and it requires restarting the browser. I see people routinely ignoring these updates because it'd interrupt what they're doing..... and the web server logs I have access to are a mishmash of Firefox browser versions.
This is a browser with 25% of the worldwide marketshare -- more than any version of Internet Explorer save for version 8.
So.... how about Google Chrome, you say? Their patching setup is far superior (that's why I use it), but it's not like the browser is any better-written. Just this month there have already been eighteen disclosed security vulnerabilities. And that's only slightly worse than average for a month in Chrome land. There are actually a number of Google Chrome bugs which are marked as only affecting the Linux version, too. Look at CVE-2010-4041 for an example of what I mean.
What I'm trying to say here is this -- Internet Explorer's security profile isn't significantly different than the other major vendors. They all have poorly-coded browsers that focused on packing the features in, without taking due consideration to the safety of the code they're writing. If you want to single out Microsoft for criticism, let's talk about the fact that they take so long to get these fixes out, and that reboots are often required to get the patches in place. That's where Firefox and especially Chrome are ahead.
And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.
The quality of discussion on this site is taking a nosedive lately. I think phony "debate" talkshows and the demagoguing occurring in politics does a lot of damage by repeatedly presenting invalid processes as though they were legitimate or useful. I'll spell it out right now, the dishonest tactics used on shows like that and commercials like that are designed for one purpose: so the host or politician can "win" and "be right" no matter how right or wrong he/she actually is. It's rhetoric, not debate.
I'll give a rough outline of how this most often plays out on Slashdot. My goal is to demonstrate how petty and useless it really is:
It boils down to what kind of man or woman you are. To some people, the truth is more important than winning and any winning that does happen is not legitimate if it is not rooted in truth. To many people, winning is more important than the truth and lying, distorting, misrepresenting, are all acceptable as long as you win and the other guy loses. The latter group will never know what it means to say "you know, that's a really good point, it made me think about this differently, you changed my mind about this -- thank you!" for that would mean losing face, or so they imagine.
What does this have to do with the subject at hand? I'll explain. For every 500 times I've seen someone say "if you think Linux automagically protects you from malware", I think I've seen maybe 1 time that anyone actually made that claim. This strawman has been beaten so severely it's reverted back to a small pile of hay. It's time to let it go, no matter how otherwise trollish somebody else has decided to be (and he was -- I don't dispute that, but this BS compounds that problem).
The GP said two things. He said he has run Debian and/or Ubuntu for the last 10 years. That's not absurd or beyond the realm of possibility. So ok, I believe him. He also says he has experienced no malware during those 10 years. That's strictly a matter of his competence as a Linux admin, skilled admins exist, and it doesn't take a particularly high level of skill to achieve that. So that's not absurd or infeasible either. Ok, I believe him on that one too.
Now hear this: he did not claim that Linux automagically did anything. I realize some people have said that -- if you want to do something about it, locate and deal with those people. What you're doing is assuming he must be just like them because he wears the same kind of tie. Until and unless he makes the same claims, he is not just like them. If he trolled a little, you said "oh yeah, watch THIS" and showed him how it's done.
It is a miracle that curiosity survives formal education. - Einstein
Windows 98 was fourteen times the operating system that Windows 7 is.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC