Slashdot Mirror
IE Vulnerability Exposing Banking Logins, Spreading Rapidly
jfruh writes "A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly. Sites compromised by the malware run the gamut from U.S. Veterans of Foreign Wars site, to a site frequented by French military contractors, to a Japanese dating site. Microsoft has released a 'fix-it tool' but not a regular patch."
I'm immune!!!!
CEOs have ignored security researchers since the start of the modern internet, because CEOs only want "Results now!"
The compromised site is being used to host/inject the exploit.The vulnerability that is being exploited is in IE 9 &10, and allows code execution. It is being used to get the credentials for other--non-compromised--websites.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Well, for one thing, the anti-MS slant has been tapering off here for years; they're no longer seen as "Big Evil", but more of a "McComputer" sort of thing.
For another thing, most /. readers may like the OSS movement, but they primarily work in Windows, have friends who use Windows, have family who use Windows, and are often the ones who provide tech support to those friends/family/co-workers. Knowledge of these vulnerabilities do more good for more people than knowledge of the latest bugs in Epiphany.
It's the one most banking and investment houses use and develop their sites to work with. So there's that.
.
Prisencolinensinainciusol. Ol Rait!
Any compromised website can take over the browser. So a malware ad hosted on Youtube or ./ can infect the browser, and the attacker can then snoop on future activity – e.g. on banking sites.
And this is exactly why I always run an ad blocker.
Given the current mess that is web advertising, it would be foolish to do otherwise.
Of course Secunia will count this is as "one bug", after Microsoft agrees it is a bug. On the other hand, it will look at bugzilla of Firefox, and every bug report by everyone will be counted towards the total bug count on Firefox. Microsoft will continue to insist its browser has fewer bugs than Firefox. Gartner will issue a TCO report based on these numbers. And everyone will be scratching their head, why IE market share continues to fall when all these numbers say IE is the safest browser in the world.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
People still use IE?
Yes. Many non-IT companies require their users to use only IE, due to *security concerns* (the security concerns being that everybody should use the default browser provided with the OS, and not a random one of choice). This is usually the case where the CIO/IT management has been holding that same position for a relatively long time, signing that same yearly contract with Microsoft for OS+Office. In short, keeping the same IT environment is the recipe to ensuring there is no change on IT management side either.
Slashdot, fix the reply notifications... You won't get away with it...
Clearly the wild pointer read error is in IE not in the server. They need to hack the server to post the exploit code in their server. But they could also create the same vulnerability in a site owned by them. No need to hack. But it is more difficult to lure visitors to the newly created malware site. That is why they need to hack a well visited site to upload the hack. But all visitors to that site using Chrome and Firefox and other versions of IE are not affected. Fault lies solely on these versions of IE
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
And this is why I browse using Lynx. Forget the damn script blocker as blocking all active content is how you do it. I don't need a hosts file as I literally don't see ads.
Netflix kinda sucks though. Kevin Spacey just isn't the same when rendered in ASCII.
So how do you really trust them?
However, Chrome is getting many patches recently between versions due to flaws in blink and flash. So the idea to blame IE as still sucking is disingenuous.
The point is always upgrade your browser and OS in addition to running adblock/flashblock, or if you are a corp banning flash and java altogether. The port of adblock for IE is here.
Many IT professionals who whine about leaving XP and IE 8 behind should be FIRED. IE 11 sandbox is fine for this. If you run WIndows 7 or later both IE 9+ and Chrome have lowrights mode which restrict everything include writting to the disk with the narrow exception of %appdata.
These days most of the infections I see come from Firefox and plugins. Firefox has no lowrights mode and if anyone reading this is using XP you neglect sandboxing on all browsers and expose yourself.
http://saveie6.com/
I hated Microsoft pretty hard. Now... McComputer sounds about right. Good Call!
I mostly use Windows at work (because that's what my work uses) and just about entirely Linux at home (that's what I choose). This hasn't changed.
I don't think I have changed. Microsoft has changed and so has the market. I just don't see Windows computers crashing like they used to. Quality has improved Perhaps this was in part due to the threat of competition from oss? Note that I said threat of, not actual competition. We all know Linux didn't take off on the desktop but there certainly was enough hype about the possiblity!
Also, you can actually do something in Windows without having a corporate sized budget. Want to be an amateur programmer? It used to be all Windows had was a BASIC interpereter. To get an actual compiler (any language) was 100s of dollars. Apparently you had to pay for the privilege of creating software for Windows. Even though more software existing for Windows just makes Windows more desirable... explain that one. Now Micorosoft releases free versions of their development environments which are cut down enough to give companies a reason to buy the real thing but not so much as to prevent one from compiling a useful application.
Besides what Microsoft offers, now there is all sorts of free oss available for Windows. You can develop for Windows in gcc! Can't afford Photoshop? Gimp runs on Windows now. How about web serving. Microsoft used to charge big bucks for different levels of licensing on their web server. They limited how many people could connect at a time. I thought that was a very assinine money grab. It's not like Microsoft programmers put in more hours every time your server serves 100 copies of your web page vs 5! Do they still do that? I don't know. Who cares?!? I can always run Apache on Windows or any one of a million other free programs.
In the early days Microsoft plus IBM were the PC. The PC was awesome for hackers, makers and all kinds of geeks. Before that everything was pretty much proprietary. Now you could mix and match hardware pieces as you please. Also, I could run the same program on my Tandy as my friend ran on his Dell even though it was written on a computer made by IBM!
Later Microsoft became evil in part becasue the kind of compatiblity the PC gave us was expected. We didn't need Microsoft to help us get that anymore. But.. Microsoft was pushing things the other way, embracing standards just to change them a bit once they had a market share so that people would be locked in to using their product.
Now.. Microsoft is losing that monopoly power. They can't do as much damage as before. But.. mobile devices are the big thing, not Desktops. And with our phones and tablets we are back to the bad old pre-pc days where everything is proprietary. I'm not saying that Microsoft is doing anything to try to change this but at least they aren't the driving force behind it. That title is shared by Apple and the cellphone carriers.
So.. Microsoft is a de-fanged wannabe villian who occasionally does nice things. Apple and the Telecoms, they are where the real evil lives today.
... we would stop loading up web browsers with "features" that only help content providers shove ever more ads and video down our gullets.
Our default browser is IE, and it's not because I have any love for Microsoft, or spending extortionate amounts of my IT budget on Microsoft licensing. I personally use firefox on a day to day basis, but the official "supported" browser in the company is still IE simply because it's easily configurable within the domains group policy, and most widely supported when it comes to corporate browser applications.
I know what you're getting at, and I'd have to disagree. Most company's are forced to be a Microsoft shop simply for compatibility reasons. The software my users depend on daily to do their jobs is Windows only... and there's nothing I can do about this.
Accounting needs Word and Excel. In fact, they "need" 2010 or they all need to be on the same versions. If I have even one of them on a different version they will complain about compatibility issues.
Geology needs a plethora of Windows only client/server software first written in the early 2000's and sparingly updated. This is specialized stuff.. you can't just get it off the shelf anywhere. This requires Windows desktops and Windows servers.
I could go department by department but I think you get the point. Once you require Windows on the desktop for end user software, it makes the most sense to have a Microsoft domain and Exchange Server because they all play nicely together. Exchange is especially nice since every member of my staff took some business course in community college and is comfortable with Outlook. We did a test run of gapps using the outlook plugin but it wasn't nearly as intuitive or function rich as an Exchange environment; especially when it comes to calendars, room booking, scheduling, and tasks.
So at the end of the day, when everything else is Microsoft, it makes the most sense to use IE, because it plays nicely with all of the above. I probably could struggle with getting everything to work on Firefox, and deploying policies through the registry or batch scripts, but in my experience it's just not worth the hassle. You're not busy enough, or responsible for enough if you haven't yet learned to leave your ideals at the door, and just use what works.
If it ain't broke, don't fix it.
Well, you might not have a choice depending on your OS version...
XP, 2003 - max is IE8 (not affected)
Vista, 2008 - max is IE9 (affected, presumably most used version)
7, 2008R2 - currently at IE11, but many users still using IE10 (affected) since IE11 came out in November for this OS
8, 2012 - only supports IE10 (affected)
8.1, 2012R2 - only supports IE11
Windows 3.1x calc: 3.11 - 3.10 = 0.00
that started reasonable enough, citing real issues that make it the only option to use Windows, Word and Excel. That much, I concede, it's not worth it to fight.
But I draw the line, and Exchange and Outlook are way past it. No way I would support either on my networks. Simply put, these are the real implementations of the first Halloween document. in other words, it's baitware that works "nicely enough", and with several well-researched features to make them attractive, but as soon as you want anything non-microsoft in your setup, they create all kinds of obstacles and hoops you have to jump. It's not that other systems don't "work nicely with all the above" it's that these specific programs were designed from the start to create those problems.
I agree that MS isn't the 'evil' it once was, but in the email space, it hasn't changed a bit. And it's up to us not to tolerate it.
-Kz-