Um, I don't think I can be the only one who keeps a copy of the latest Firefox and Thunderbird on a CD, along with all my other "Windows-hardening" tools of choice, for deployment on the never-ending series of friends' PCs I get called to as PC Doctor.
As a very rough estimate, I'd say I install each successive version of Firefox on around 5 PCs (2 of mine, and maybe 3 others).... so that would inflate the installed base over and above the site-visit stats somewhat. That's not counting return visits to install updated versions for those friends who can't manage to do it themselves (I get a lot of free dinners this way).
"There are two types of Java applets: signed and unsigned. Unsigned applets run in a sandbox inside your Web browser. A Java exploit would be an unsigned applet that could "get out" and do something malicious. This doesn't seem to be an unsigned applet.
Signed applets don't run inside a sandbox. A signed applet can do anything that any other executable program can do; including formatting your disk or installing spyware. They are not any safer than programs written in C or assembly language."
(Thanks to the AC, whoever you are.)
So... a day not wasted... I've learned something. And all these years I've been thinking that Java applets had a fundamental security advantage over ActiveX controls, in that their execution environment was separated from the user's by a firebreak, thus making them "safer". Seems not.
It doesn't "escape" the sandbox... the user
explicitly grants it permission to play outside
of the sandbox
Erm.. thanks for that... I bet I'm not the only one who didn't realise that's what I was granting permission for when I agreed to "trust" an applet.
I confess I had no real idea what "trusting" the applet actually did - mea culpa. I vaguely thought it was something to do with me choosing to believe it really was written by whoever its certificate said it was written by.
But I certainly thought the Java sandbox was inviolable - *always*. I thought an applet was always
prevented from (a) accessing files outside the sandbox, and (b) making a network connection to anywhere except the website it was originally loaded from.
Evidently I'm horribly wrong - can anyone give some pointers to a good description of the Java applet security model ?
The vulnerability worked for me using Mozilla 1.7.3 with "Block unrequested popup windows" switched on.
Amusingly though, the silly.WAV file sound clip I have Moz configured to play when it blocks a popup went berserk as soon as I clicked on the "With popup blocker" link - it's about 4 seconds long but I got an endless repetition of the first half-second, so it sounded like a CD that's got stuck, and it was very obvious that something was wrong. I guess that was the Secunia page's Javascript looping waiting for the popup window to appear.
Also, I confirm another poster's assertion just now : this only seems to work if you use a link on the malicious webserver to open a window on the Citibank site. If you open Citibank by typing the URL into a pre-existing window the problem doesn't occur, and the normal Citibank anti-phishing advice appears in the requested popup window.
Re:This "random" test is dangerously incomplete.
on
IE Shines On Broken Code
·
· Score: 2, Informative
> Given the arbitrary limits on this test, it
appears to be designed specifically
> to make IE look better than its competitors and prove some point rather
> than be an objective investigation.
It sounds like you have little idea who the author is, or you wouldn't make such a statement. Michal Zalewski is a well-respected security researcher, with impeccable credentials, and no particular love for Microsoft, who's made an undeniably valuable contribution in many areas of IT security.
Give the guy some credit - it seems he's uncovered a surprising lack of robustness in non-IE browsers - and admittedly an even more surprising degree of resilience in IE's handling of the HTML tag soup he played with... strange but apparently true:-)
I just downloaded the latest CA eTrust EZ Antivirus signature file, version 8613, dated 27th.Sept, and am glad to report that it detects the Easynews virus sample as "JPEG.MS04-028.exploit trojan".
[Since it seems to me it might be good for us all to collect as much information as possible in this thread...]
PS: just for the hell of it, on a box that's not using one of the allegedly vulnerable versions of Windows or IE (it's NTWS SP6a, IE5.5), I tried to open the Easynews sample image using Irfanview V3.80, which displayed the error message :
possibleVirus.jpg : JPEG Decode Error !
Quantization table 0x00 was not defined
I suppose I'd better run a full scan of my peecee anyway now... sigh... I wonder which JPEG library Irfanview uses...
Although the SANS website says their scanner is written for Win2K+, it seems to run on NT (although the output format is a bit screwy), and it reckoned there is one vulnerable DLL, at
Program Files\Common Files\Microsoft Shared\VGX\vgx.dll, Version: 5.50.4133.200
For me it has little to do with making the office apps look different or "better", and a great deal to do with using the KDE clipboard to transfer information between the office apps and other KDE apps.
At the moment I can't do that easily (how would you paste from a Konsole session into a word-processor document ?), and anything that makes that a snap is progress, IMHO.
Sometime in 1999, as I arrived at Bristol Airport in the UK with a colleague to board a plane to visit a customer, we glanced at the Departures status screens hanging from the ceiling in the departures lounge and saw that a standard NT4 BSOD was displaying on all screens.
Does anyone understand this ?
In fact, does anyone know why the download size actually went down betwen 1.4.0 and 1.4.1 ?
Not that I'm complaining about that:-)... I just assumed the code got more efficient... but by the same token, it just got a whole lot less efficient... or bloated, or something. Maybe it's all those multiple environment look'n'feels.
This is an excellent move by the Aussies. Now it seems we need a server here in the UK - or does anyone know whether there's already one ?
The public servers list at http://www.jabber.org/user/publicservers.php doesn't list any servers in the.uk domain. By guesswork I found http://www.jabber.org.uk/ but the front page says the server admin has had to close this server for new registrations due to traffic overload.
ISTM we should all use as local a server as possible, so I'm reluctant to register on the main jabber.org server.
Slashdot Mirror
As a very rough estimate, I'd say I install each successive version of Firefox on around 5 PCs (2 of mine, and maybe 3 others) .... so that would inflate the installed base over and above the site-visit stats somewhat. That's not counting return visits to install updated versions for those friends who can't manage to do it themselves (I get a lot of free dinners this way).
I see a helpful AC has given a brief answer to my question later on in this thread : http://slashdot.org/comments.pl?sid=142474&cid=11
(Thanks to the AC, whoever you are.)
So ... a day not wasted ... I've learned something. And all these years I've been thinking that Java applets had a fundamental security advantage over ActiveX controls, in that their execution environment was separated from the user's by a firebreak, thus making them "safer". Seems not.
Erm .. thanks for that ... I bet I'm not the only one who didn't realise that's what I was granting permission for when I agreed to "trust" an applet.
I confess I had no real idea what "trusting" the applet actually did - mea culpa. I vaguely thought it was something to do with me choosing to believe it really was written by whoever its certificate said it was written by.
But I certainly thought the Java sandbox was inviolable - *always*. I thought an applet was always prevented from (a) accessing files outside the sandbox, and (b) making a network connection to anywhere except the website it was originally loaded from.
Evidently I'm horribly wrong - can anyone give some pointers to a good description of the Java applet security model ?
Amusingly though, the silly .WAV file sound clip I have Moz configured to play when it blocks a popup went berserk as soon as I clicked on the "With popup blocker" link - it's about 4 seconds long but I got an endless repetition of the first half-second, so it sounded like a CD that's got stuck, and it was very obvious that something was wrong. I guess that was the Secunia page's Javascript looping waiting for the popup window to appear.
Also, I confirm another poster's assertion just now : this only seems to work if you use a link on the malicious webserver to open a window on the Citibank site. If you open Citibank by typing the URL into a pre-existing window the problem doesn't occur, and the normal Citibank anti-phishing advice appears in the requested popup window.
> to make IE look better than its competitors and prove some point rather
> than be an objective investigation.
It sounds like you have little idea who the author is, or you wouldn't make such a statement. Michal Zalewski is a well-respected security researcher, with impeccable credentials, and no particular love for Microsoft, who's made an undeniably valuable contribution in many areas of IT security.
While he generally seems to work on Unix-like systems, he has also published work on M$ software security problems - e.g. http://www.bindview.com/Support/RAZOR/Advisories/2 001/adv_mstelnet.cfm
s html
/ 06/msg00066.html
http://news.softpedia.com/news/2/2004/April/7797.
http://cert.uni-stuttgart.de/archive/bugtraq/2000
A quick google will repay your time.
Give the guy some credit - it seems he's uncovered a surprising lack of robustness in non-IE browsers - and admittedly an even more surprising degree of resilience in IE's handling of the HTML tag soup he played with ... strange but apparently true :-)
[Since it seems to me it might be good for us all to collect as much information as possible in this thread ...]
PS: just for the hell of it, on a box that's not using one of the allegedly vulnerable versions of Windows or IE (it's NTWS SP6a, IE5.5), I tried to open the Easynews sample image using Irfanview V3.80, which displayed the error message :
I suppose I'd better run a full scan of my peecee anyway now ... sigh ... I wonder which JPEG library Irfanview uses ...
Although the SANS website says their scanner is written for Win2K+, it seems to run on NT (although the output format is a bit screwy), and it reckoned there is one vulnerable DLL, at
Dunno where that came from, but it describes itself as "Microsoft Vector Graphics Rendering(VML)", and - fascinatingly - the copyright says "Unpublished work. Copyright© Microsoft Corporation 1983-1999. All rights reserved."At the moment I can't do that easily (how would you paste from a Konsole session into a word-processor document ?), and anything that makes that a snap is progress, IMHO.
Can't remember what the actual error was.
On my PC :
j2re-1.4.0_01-windows-i586.exe - 9170 Kb
j2re-1.4.1_01-windows-i586.exe - 7829 Kb
j2re-1.4.2-windows-i586.exe - 14162 Kb
Does anyone understand this ? :-) ... I just assumed the code got more efficient ... but by the same token, it just got a whole lot less efficient ... or bloated, or something. Maybe it's all those multiple environment look'n'feels.
In fact, does anyone know why the download size actually went down betwen 1.4.0 and 1.4.1 ? Not that I'm complaining about that
The public servers list at http://www.jabber.org/user/publicservers.php doesn't list any servers in the .uk domain. By guesswork I found http://www.jabber.org.uk/ but the front page says the server admin has had to close this server for new registrations due to traffic overload.
ISTM we should all use as local a server as possible, so I'm reluctant to register on the main jabber.org server.