New IE Zero Day

RebootKid writes "Microsoft has released a notice about a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"

net zero; +1 MS -1 for MS

[hAckz0r]

Microsoft blundered again. No big supprise. They left off the /DYNAMICBASE randomization switch when compiling mscorie.dll. Dumb, Oversight, or is it on purpose? (-1 score)

Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?

What security features can you add with EMET?

Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)

Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?

The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg

Re:net zero; +1 MS -1 for MS

[phantomcircuit]

DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.

Re:Merry Xmas

[causality]

And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.

The quality of discussion on this site is taking a nosedive lately. I think phony "debate" talkshows and the demagoguing occurring in politics does a lot of damage by repeatedly presenting invalid processes as though they were legitimate or useful. I'll spell it out right now, the dishonest tactics used on shows like that and commercials like that are designed for one purpose: so the host or politician can "win" and "be right" no matter how right or wrong he/she actually is. It's rhetoric, not debate.

I'll give a rough outline of how this most often plays out on Slashdot. My goal is to demonstrate how petty and useless it really is:

1. Read a statement made by another poster.
2. Decide whether you like or don't like that statement.
3. Assume that anything you don't like must be factually incorrect.
4. (Optional) Demonize people who say things you don't like by never admitting when they make a valid point. That would be like helping the enemy since you're either with us or against us! That's much more precious than honest debate, right?
5. Do not deal with the poster as an individual. Instead, pigeonhole them:
6. • Decide what group (real or imagined) the poster vaguely sounds like.
   • Ascribe all attributes of that group to the poster.
   • Fail to notice that the poster actually made no such claims; instead, put words in their mouth.
7. Proceed to tear down the straw man you have just set up.
8. (Optional) call the poster names, use invective, use ad-hominems.
9. (Mandatory) forget that you just tore down a strawman that you set up, so your "victory" feels genuine and earned.

It boils down to what kind of man or woman you are. To some people, the truth is more important than winning and any winning that does happen is not legitimate if it is not rooted in truth. To many people, winning is more important than the truth and lying, distorting, misrepresenting, are all acceptable as long as you win and the other guy loses. The latter group will never know what it means to say "you know, that's a really good point, it made me think about this differently, you changed my mind about this -- thank you!" for that would mean losing face, or so they imagine.

What does this have to do with the subject at hand? I'll explain. For every 500 times I've seen someone say "if you think Linux automagically protects you from malware", I think I've seen maybe 1 time that anyone actually made that claim. This strawman has been beaten so severely it's reverted back to a small pile of hay. It's time to let it go, no matter how otherwise trollish somebody else has decided to be (and he was -- I don't dispute that, but this BS compounds that problem).

The GP said two things. He said he has run Debian and/or Ubuntu for the last 10 years. That's not absurd or beyond the realm of possibility. So ok, I believe him. He also says he has experienced no malware during those 10 years. That's strictly a matter of his competence as a Linux admin, skilled admins exist, and it doesn't take a particularly high level of skill to achieve that. So that's not absurd or infeasible either. Ok, I believe him on that one too.

Now hear this: he did not claim that Linux automagically did anything. I realize some people have said that -- if you want to do something about it, locate and deal with those people. What you're doing is assuming he must be just like them because he wears the same kind of tie. Until and unless he makes the same claims, he is not just like them. If he trolled a little, you said "oh yeah, watch THIS" and showed him how it's done.