Unpatched IE Flaw Extremely Critical

Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."

Extremely Dupical

[A beautiful mind (821714)]

The biggest blip on the slashdot radar over the Thanksgiving holiday was the realization by the editorial community that a slow news problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a short blip of news vulnerability now also allows for execution of arbitrary stories as portraid by Beatles Beatles. The realization caused CmdrTaco to issue a rare 'Extremely Dupical' advisory.

Re:Extremely Dupical

[by Anonymous Coward]

OK, now I know Slashdot's biased, but posting this twice and not posting this [techworld.com] at all?

All your OS are belong to Sun!

Scummy eweek popup alert

[david.given (6740)]

...pops up a dialogue asking whether you want to be spammed and then spams you anyway when you hit CANCEL.

Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page? Once an OK/Cancel dialogue is up, you can't interact with Firefox's UI until you've responded to the dialogue and let the Javascript do something, which I think is poor design.

Re:Scummy eweek popup alert

[BattleRat (536161)]

The extention you are looking for is called NoScript. It works awesome.

Re:Scummy eweek popup alert

[HoosierPeschke (887362)]

Try this NoScript [noscript.net]. It's a whitelist so you can allow only certain sites to use javascript.

Re:Scummy eweek popup alert

[NickFitz (5849)]

IIRC, the JavaScript confirm() function returns three values -- true, false, or null, depending on whether you hit ok, cancel, or x.

Unfortunately not. I can see that it would be useful to have, but a quick test shows that both Cancel and the Close button return false (on Windows 2000, IE 6 and Firefox 1.0.7). IIRC this is in line with the expected behaviour for such dialogs, although that may vary per operating system.

Try it: type

javascript:alert(confirm("blah"))

in your browser location bar

You mean to say I can be up to date

[Tiger4 (840741)]

and still be vulnerable? I am shocked and appalled. As is well known, any reputable software vendor would release flaw free code that could not possibly cause hidden attacks such as this. Clearly they are the scum of the earth and should be shunned for foisting such shoddy products off on the public. And if you believe THAT, I have this bridge for sale in a ratehr profitable location of a well known American city.

Re:You mean to say I can be up to date

[Enigma_Man (756516)]

Sarcasm aside, yes they should be responsible for what they wrote, even though it's a lot of code, and there are going to be bugs (human nature). It is shoddy software.

-Jesse

Reaction Time More Important

[MarkByers (770551)]

The fact that there are lots of critical bugs wouldn't be an issue, if the vendor patched the bugs *before* the exploits are made public. They were aware of the bug for a long time, long before this exploit was developed.

Re:You mean to say I can be up to date

[Phisbut (761268)]

I am shocked and appalled. As is well known, any reputable software vendor would release flaw free code that could not possibly cause hidden attacks such as this.

Although it can be "accepted" that code be released with unknown bugs (because we all make mistakes), the problem here is that the bug report is over 5 months old. It is one thing to ship buggy code, it is another thing to ignore bug reports and not fix your product once the bugs have been found. It is no longer unknown, Secunia has a release date of 2005-05-31 for that bug.

is IE the sound that ....

[by Anonymous Coward]

is "IE" the shortented version of the screaming sound that I make when I realize my machine has been compromized?
"iiiieeeeEEEEEEEEE!"

Re:is IE the sound that ....

[BushCheney08 (917605)]

Is that like the Windows user's equivalent of KHAAAAAAANNNNNN?

Re:is IE the sound that ....

[jonadab (583620)]

> the screaming sound that I make when I realize my machine has been compromized? "iiiieeeeEEEEEEEEE!"

No, real Geeks scream, "Kaaaaaaahn!"

Re:is IE the sound that ....

[Foofoobar (318279)]

I thought they just threw chairs? No wait... that's management.

Wow

[gcnaddict (841664)]

Its so rare that most other things never see the light (or lack thereof) of this rating... I dont think firefox ever got an Extremely Critical rating for any of its bugs :P

Extremely Critical Firefox Vulnerability

[MarkByers (770551)]

From 2005-09-20: Firefox Command Line URL Shell Command Injection [secunia.com]

Firefox v1.5

[Space_Soldier (628825)]

This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.

Re:Firefox v1.5

[m0i (192134)]

This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.

Hrm, did you notice that Firefox 1.5 is crashing as well on this exploit? It's not a security risk but a big annoyance nonetheless.

Proof of Concept

[Motherfucking Shit (636021)]

Here is a link to the Proof of Concept [computerterrorism.com] page, which will launch an instance of calc.exe if you're vulnerable. AVG Free caught the exploit in the cached page, but calc.exe ran anyway, even after I deleted the file.

Re:Proof of Concept

[Jaruzel (804522)]

Symantec AV 8.1 with latest virus defs. caught the exploit naming it 'Bloodhound' something or other, and calc.exe did NOT run.

-Jar.

Re:Proof of Concept

[TheSpoom (715771)]

Slightly offtopic, but if you're wondering, NAV calls anything it considers suspicious enough to stop but doesn't have a name for yet "Bloodhound" because that's the component that detects buffer overflows and the like. Just something rather interesting I found when I was doing tech support.

Re:Proof of Concept

[by Anonymous Coward]

I'm really sick of my mac, nothing works right on here. Why wont it bring up my calculator!

Re:Proof of Concept

[Sawbones (176430)]

Oddly enough it didn't work for me. IE 6 on a windows machine, it spawned a small dialog window and then a javascript "prompt" box with what I would assume was unicode characters. But after that it just sat there. not crashing nor using a tremendous amount of resources. I would assume that the exploit doesn't require a user to click buttons since the advisory mentioned "just visiting a webpage". So what "should have" happened?

Re:Proof of Concept

[Pxtl (151020)]

Hm. I get a "Script Prompt" window over a tiny IE window, with the name of your site in a textbox. A few seconds later (or when I touch it) it snaps and then I get the windows "close-details" app crash window.

So it disturbs the browser, but it doesn't hack it for me.

Re:Proof of Concept

[Spy der Mann (805235)]

I suppose that's because a buffer overflow makes IE6 execute code directly. The scanner (in my case, VShield) noticed there's an exploit in the webpage, but there's nothing else it could do. It's like some security guards saying "hey, a thief opened this door!" and they close the door, but don't catch the thief.

Yes, this is a very dangerous problem.

Re:Proof of Concept

[TheSpoom (715771)]

Proof of concept crashed (or at least, froze to the point of me having to kill the process) my Firefox, but did not open calc.exe. So technically, it could be used as a DoS attack on other browsers as well, though not nearly as badly as on IE.

Re:Proof of Concept

[PlusFiveTroll (754249)]

Firefox didnt crash, if you waited long enough (like I did) it opens up a popup dialog full of ??????'s, you can then close the window. But it did take a full 3 minutes on a Athlon64 300+ with a gig of ram. calc.exe does not run.

Re:Proof of Concept

[jpop32 (596022)]

So technically, it could be used as a DoS attack on other browsers as well, though not nearly as badly as on IE.

Well, Opera just opened a small window which just sat there and did nothing. I closed it, and continued on my merry way. Score one for Opera. :-)

Snow Crash

[alienmole (15522)]

Funny how so many of the responses in this thread mirror the response of someone who's just been exposed to Snow Crash: "weird - the screen just went all static-y. But I'm fine... aren't I???"

Patch here

[6Yankee (597075)]

Rename calc.exe. Job done!

Temp Fix

[Manip (656104)]

Turn on "Data Execution Protection" for all programs and services. Instead of allowing full execution it will limit it to a DOS (crack IE).

Control Panel -> System -> Advanced [Tab] -> Performance Settings -> Data Execution Protection [Tab] -> Turn on DEP for all programs and services except those I select -> Ok -> OK.

Re:Temp Fix

[_Shorty-dammit (555739)]

I believe DEP is on by default for IE anyways, so I'm not sure this is even necessary. I just tried the proof-of-concept test on my machine, and all it did was bring up some script prompt, didn't launch calc.exe as it should have. This is with the IE7 beta, btw.

Re:Temp Fix

[Ron Bennett (14590)]

Turned DEP on, shutdown/restarted, and still no good - the exploit (calculator comes up) still works :(

Perhaps hardware based DEP would make a difference, but again, for folks relying on software-based DEP, it's not effective - the exploit still works anyways.

Ron

It affects Firefox, too.

[Mitchell Mebane (594797)]

Although it's not as severe.

https://bugzilla.mozilla.org/show_bug.cgi?id=31733 4 [mozilla.org]

ISC got counter of vulnerable systems

[UnderAttack (311872)]

The SANS Internet Storm Center [sans.org] has a counter on their home page showing how many visitors to their site are vulnerable to this particular problem. At this time, looks like it is 43%! (and I assume that people checking the site are more security concious then the average). Also see MSIE 0day exploit [sans.org].

McAfee Fails It

[Orrin Bloquy (898571)]

On my W2K box, McAfee warns me of a threat, then as soon as I close the window, the code executes anyway.

Am I the only one?

[LaughingCoder (914424)]

I read the article, and there was a link to a page that demonstrates the exploit. Now, am I the only one who is afraid to click such a link? There is something about seeing a link that basically says "click here to see how we can take over your machine" that sends chills down my spine. I don't know about you, but I never click those demonstration links on *MY* machine.

Re:Am I the only one?

[m50d (797211)]

Anyone else could be doing it. The fact that they're nice enough to give you a link rather than just doing it suggests they're not out to get you.

McAfee Catches it

[borawjm (747876)]

My virus scanner seemed to stop it on the proof of concept page [computerterrorism.com]. McAfee sees it as JS/Exploit-BO.gen [mcafeesecurity.com]

Please stop accepting stories from Spammers

[Billly Gates (198444)]

His name points to an url and he is trying to use slashdot to boast his google pagemark. Move the cursor over the name? His site pops right up.

  Just yesterday a famous spammer did the same thing and posted here. The slashdot editors should stop accepting such stories that are fabricated in order to boast his advertising revenue.

Simmer down

[TubeSteak (669689)]

The URL is http://www.ocremix.org/ [ocremix.org]
And here's the submitter's user page http://slashdot.org/~Durinthal [slashdot.org]

I think you mistook the submitter for **Beatles-Beatles
This Beatles guy is really getting out of hand.
He manages to taint stories he isn't even submitting. ...or maybe /.'ers need to stop being so effing hyper sensitive about certain things.

AVG detects it

[bogie (31020)]

When I loaded up IE to test it, AVG detects the virus in IE's temp files. Then IE hangs a while and then finally calc loads. But if you kill IE while your waiting it doesn't get a chance to execute. Not a solution but at least it buys you some time to possibily stop it.

Either way MS needs to get off their ass and fix the problem. Oh and as if everyone didn't already know, you should be using anything but IE for web surfing.

Excerpt from email my credit union sent

[smchris (464899)]

"Currently, the only work-around is to temporarily discontinue the use of Microsoft Internet Explorer and use another browser, such as FireFox, (this can be downloaded for free at www.mozilla.com) until Microsoft can issue a patch."

Anyone else's bank send out a warning like this bluntly stating that if you use IE, there is nothing the bank can do to protect you?

Re:Excerpt from email my credit union sent

[Cro Magnon (467622)]

Anyone else's bank send out a warning like this bluntly stating that if you use IE, there is nothing the bank can do to protect you?

No, but I got an email from my bank stating that there is a problem with my account and they need my account info.

Worthless eWeek

[TubeSteak (669689)]

They just copied half the story from this site:

http://www.security.ithub.com [ithub.com]

The Proof of Concept [computerterrorism.com] didn't load calc.exe for me. Instead, it crashed my IE windows on WindowsXP SP1.

I run Ad Muncher [admuncher.com], so that might have caught and foiled the malicious javascript.

Re:Yawn...

[Scarblac (122480)]

I don't agree at all. Let's look at the post that got downmodded:

Yawn... IE is vulnerable and this is news, why? Seriously, people, if you're using IE to actually surf the Web I would argue you're probably already vulnerable because your system is running Windows, all your settings are probably default, and you probably don't care.

The post adds nothing to the discussion, says this article isn't newsworthy and does a broad ad hominem attack on all users of IE. How is that not flamebait?

I probably wouldn

Re:Yawn...

[MikeURL (890801)]

Or people should just pay attention to the moderation guidelines. You are encouraged to upmod rather than downmod. IMO downmods are applied almost instantly to the posts that truly deserve it (GNNA, random letters, fristie postie, etc). Then again I have two modes, read at -1 when I have time and read at +4 when I don't. In my case downmods don't mean all that much.

What I DO find interesting are moderation wars where a large number of points are expended upping and downing the same post. A few of my

Re:Don't fret!

[Lord Bitman (95493)]

That's just Firefox crashing as it does normally, unrelated to this issue ;)

Re:Firefox isn't perfect...

[TheRaven64 (641858)]

Many of the security provisions in OpenBSD cause code to crash when a security hole is encountered. I would much rather have the minor inconvenience of restarting an application than having to re-build a compromised machine. Of course, ideally it should do neither, but given the choice I'd take a crash over being 'pwned' any day.

Re:Firefox vulnerable too

[FooAtWFU (699187)]

It doesn't crash firefox. It hangs Firefox because it's trying to display a prompt() wherein it must reflow zillions of interesting Unicode characters. Eventually it'll display.

if you interrupt the busy state in a debugger we're busy in layout trying to
display the prompt(). Usually in some form of Reflow(), sometimes in font
stuff, sometimes in Bidi (nsBidiPresUtils::RemoveBidiContinuation?).

The bugzilla title for this bug is 'hang when long wrappable string is passed to prompt()'.