Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

New Zero-Day Vulnerability In Windows

Posted by Zonk on Sat Nov 04, 2006 10:44 PM
from the worst-day-of-the-week dept.
Security Microsoft Operating Systems Software Windows IT
Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New Zero-Day Vulnerability In Windows 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Just curious (Score:3, Insightful)

    by realmolo (574068) on Saturday November 04 2006, @10:49PM (#16721731)
    Seems there is always a new "zero day" exploit for Windows. Most times, the exploit can be activated simply by visiting a webpage that has been crafted to take advantage of it.

    Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

    • Re: (Score:3, Insightful)

      by Opportunist (166417)
      The odds depend entirely on you.

      The attack vector is a link to the bogus page. Now, how do you get a link to a user and make him click? Usually this is done either by email (click here for big boobs or fat cash) or on a webpage (same).

      In the meantime, you can also have it on a banner, where the one wanting to infect you buys ad space on a ... let's say less prestigious page of our beloved web. Usually also pages that promise big boobs, fat cash or free software.

      Well, technically, you get free software...
      • The odds also depend on time. Because as with every vulnerability, it only get worse over time: more bad guys become aware of how to exploit it, methods of exploitation become more reliable, etc.
      • I've been clicking on your link for big boobs, and nothing is happening. What's going on here?
    • ...is also the most impractical. What you do is just never network the Windows box in the first place. No internet, no intranet--nothing. If you use Windows exclusively, then this isn't really an option. You're going to want to get online eventually. But if you're double booting and running Windows for rendering applications, non-multiplayer games, office suites or whatever else that doesn't require connectivity, then you'll be fine.
      • You are severely exaggerating. I'm no windows fan, in fact I highly encourage my friends and family to try Ubuntu, and use it on one of my computers. My laptop runs Windows because there are a few apps I like having. When I have the time I'll set up a dual boot, but for now I use Windows XP.

        The computer I had before my current laptop got incredibly bogged down with viruses that entered the system through a variety of means. Eventually I found it to be unusable, and switched it to Linux. My laptop, however,

        • Re: (Score:2, Insightful)

          by Zwaxy (447665)
          > You are severely exaggerating.

          He isn't. He said that the most certain way of avoiding vulnerabilities is not to be connected to the 'net. That's true, right?

          You said:

          > The computer I had before my current laptop got incredibly bogged down with
          > viruses that entered the system through a variety of means.
          > Eventually I found it to be unusable, and switched it to Linux.

          and then went on to say:

          > Let me reiterate that I have never had a problem with viruses.

          Sounds to me like you have had a pro
      • Admiral Adama? Is that you?

      • Re: (Score:3, Insightful)

        by Jaseoldboss (650728)
        No, this problem only affects computers with browsers that support ActiveX. That's why W2K3 isn't affected because IE is configured to be virtually "text only"

        Have you seen the 'mitigating factors from the MS advisory? They're hilarious:

        In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to

    • I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions. Usually the link comes via spam.
      • I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions.

        Often times people will exploit it via normal advertisers, or find some exploit on some other software used by a website (the myspace flash exploit) or they'll find an exploit in some software the webserver uses such as phpBB, some dashboard software/configuration manager, or some other easily exploited piece of a webserver (as seen in the WMF exploit). They use one exp
    • Well, the idea is that you combine the code with a worm that can infect webservers. That way, lots of webpages will have the code, and the odds of an unprotected Windows machine being infected increase rather substantially.
    • It's not as low as you might think. All it takes is somebody to insert exploit code into a banner advertisement on a major online ad network and sites that you trust all of a sudden become malicious.
  • I've been looking at porn all night.. it is saturday you now!.... jeeze.. I better start scanning my machine now (or stop looking at porn) .... (or reload my machine).

  • "Trusted" Websites (Score:3, Insightful)

    by TheStonepedo (885845) on Saturday November 04 2006, @10:54PM (#16721773) Homepage Journal
    For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree. There are settings in IE which decide which goodies [javascript, (un)signed activex controls, etc.) can be run from which websites. When installing Server 2003, just about everything is out-of-bounds in the default IE. If Microsoft would advocate such tight controls by default on all Windows distributions, or even publish its own list of trusted 3rd-party sites, risks could be reduced. The malicious folks who take advantage of zero day exploits tend to be in the seedier parts of the tubes anyway.

    • Re: (Score:3, Insightful)

      by 0racle (667029)
      And if MS published such a whitelist so many of Slashdots readers would get up in arms about leveraging their monopoly and various other terms they don't really understand. That said, it really isn't Microsofts place or duty to police the internet and say what is and is not safe.
    • These sorts of problems seem to happen frequently with IE. Making a default white list to add to "trusted sites" is just a band aid. Microsoft could solve the problem by fixing the holes in the browser that let such exploits through. If IE7 is any indication though, I'd be surprised if MS was interested in actually fixing it at this point.
      • The problem is as it always was: ActiveX. MS can't block ActiveX because any product that uses IE as the front end with ActiveX controls is suddenly broken. *Lots* of corporate web-based programs employ ActiveX controls. Everything from Flash to Acrobat Reader to Windows Update uses ActiveX.

        A best-case scenario would be to allow Administrators to blanket-block All ActiveX controls except for a select few. You can actually do this with the IE Admin Kit and Group Policy, but it is exceptionally difficult
  • Or is it only via IE.

    What other ways can this exploit be triggered?

    • Its the forever plague of the ActiveX vulnerabilities (though semi-indirectly in this case). So Firefox is safe. Anything that uses XMLHTTP control in a way that it could get arbitrairy inputs is vulnerable.. In other words, Internet Explorer, anything that uses MSHTML straight to connect to random web sites (its safe if its only trusted web sites), so that includes Outlook, etc. Thats about it. But thats too much for my taste.

        • Re:Seriously, Is Firefox susceptible to this too? (Score:5, Informative)

          by Shados (741919) on Saturday November 04 2006, @11:37PM (#16722023)
          Yes and no. This flaw is specific to XMLHTTP, which is kind of developed independantly. You also can use XMLHTTP without using IE at all, thats why I say its independant. Its probably a buffer overflow, and not much to do about it in this case. So yes IE7 has a flaw, but there really isn't anything they could do in the current context. -HOWEVER-, while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing. The sandboxed IE7 is on Vista only, and I'm pretty damn sure this vulnerability is not an issue there. Anyway, so its more semantic here, but you could say "yes, IE7 has a vulnerability". however, its a little bit like if there was a vulnerability in KDELIB across the board...obviously that would touch Konqueror, no matter how secure Konquerer itself is... Can't excuse that one though. IE7 on XP is far, far from secure. More secure, but not secure.

        • Re: (Score:3, Informative)

          by uhlume (597871)
          Only by virtue of Microsoft's attempt to provide backward compatability for AJAX sites developed for older versions of IE.

          Prior to IE7, the XMLHTTP object, used to retrieve data from external sources without full-page reloads, was provided by an external ActiveX control. With IE7, Microsoft has implemented XMLHTTP natively in-browser, rendering the ActiveX control unneccesary -- however, it's still possible for older sites which haven't yet been rewritten to take advantage of native XMLHTTP support to load
  • What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

    Is that so much to ask for, of ANY browser?

    • Well, you could always run a browser in a virtual machine and not allow it to save state. Alternatively, it is quite easy to write a systrace policy that prevents writing to any files that are not in the cache directory (and optionally a downloads directory), and doesn't permit it to read any files other than its dependent libraries.
      • A full virtual machine (as in vmware or virtual-pc) is a tad over the top but you're right.

        I don't use it much - but sandboxie impressed me a few months ago for running IE (or anything) in a semi-virtualised environment

        • You haven't used a virtual machine have you? go download VMWare of virtual-pc (slower but invades your system less than vmware - and the full thing is free from microsoft). You will find that there's a option to delete changes on exit. It's not hard - just a tad over the top
    • program ... go out to the Internet ... no way to change anything on my computer

      I guess that you don't see any value in bookmarking or in caching for performance.

      Actually, there is something close to what you are describing. It is called a Linux live CD with firefox on it such as knoppix.

      • Actually, it might make sense to take the caching functions out of the web browser, maybe even out of client machines entirely, in favor of network appliances. That would allow you to have very secure, locked-down browsers, while still doing caching.

        I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy. I suppose it's because it would be too hard to explain to a lot of people (the kind of people who don't grok th
    • WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

      If you are visiting the seedier part of town and want some protection, may I interest you in a live CD?

      I've used live CD's while on the road and had to use a hotel internet connection. Who knows what could be in the middle there. I fired up Ubuntu as a live CD and hit the web. Stayed away from e-mail and any finance sites while on the road. It was fine for checking mountain pass conditions for travel and entertainment via youtube and other sites.

      At the end
  • and I write buggy software. I am by no means a MS basher, but the security advisory that they have put out reads like an endless stream of lame excuses.

    It may very well be that stupid users or badly configured systems allow these exploits to thrive but FFS Microsoft just admit that you are actually at least partially to blame.

    As long as they fail to realise that they are not gods and do actually write buggy software, what hope is there that they will ever succeed in producing something secure?
  • Internet Explorer 6/7
    Well that's what they get for not updating and running Internet Explorer 6/7! It's not even version 1.0!
  • You want news? Now this would be news:

    REDMOND - NOV 23, 2006
    Microsoft is proud to announce that for the second day in a row, now 0-day exploits were discovered in its flagship Microsoft Operating System.
    • By definition, an exploit that is 'discovered' is '0-day'. You can't 'discover' a 0-day exploit. You discover an exploit, and the day that you publish it is the 0-th day of that exploit being known.
  • This flaw does not affect Vista users thanks to IE 7's Protected Mode [microsoft.com] feature.
  • "... all Microsoft based operating systems except Windows 2003."

    So a box running Windows 95 or DOS is at risk then?

    I'm not sure which is more irritating - that the summary uses the above phrase that is not in the article, or that they article doesn't explicitly say which OS/browser versions are affected (and you'd have to go digging around to find whether you are using "XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0".

    I suppose the most irritating thing for a Windows user is that this i

  • No 2003? Someone can't read. (Score:3, Informative)

    by flyingfsck (986395) on Sunday November 05 2006, @02:40AM (#16722879)
    From Secunia, the vulnerable versions are:
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Datacenter Server
    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows Server 2003 Datacenter Edition
    Microsoft Windows Server 2003 Enterprise Edition
    Microsoft Windows Server 2003 Standard Edition
    Microsoft Windows Server 2003 Web Edition
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Professional
    • Its sad when you think that Windows 2003 is a better desktop OS than Windows XP...a bit pricey for a desktop, too =P
      • It is when you can run as non-admin and have it mean something.

        3 years and zero virii, trojans, etc on any of the Win machines.
        • That probably comes with good usage more than just the OS though. I've ran NT4, 2k, and XP for about 9 years over (I think thats right?), and didn't get even as much as a spyware on any of those, without any permanent scanners (I scan like once every 6 months or so). But the whole running in non-admin and mean something thing does sound cool.
    • http://www.google.com/trends?q=linux%2Cwindows&cta b=0&geo=all&date=all [google.com]

      there's no trend here. windows searches are decreasing also.

      • As a sexy nerd-girl once said,

              Lay off the caffeine, dog. Now you're seeing things. There ain't no such thing as a sexy nerd girl. There are plenty of sexy girls (directly proportional to the amount of beer you've had), and there are some nerd girls. But sexy nerd girls? No way, unless you are really wasted.

        • But sexy nerd girls? No way, unless you are really wasted.

          Its funny because the other week I was waiting at the supermarket checkout behind three of the ugliest women I have seen in a long time. Not offensive, just not ... very ... attractive.

          Their credit card transaction was going through. One of them appeared to be entranced by the flickering lights of the network gear embedded behind the register. She turned two one of her friends and said I think the hourly transfer is about to run...ah there it is.

          • Jeri Ellsworth

                  Like the romans said, you can't argue taste. Ewww. As far as I'm concerned, my point stands. But then again I must concede that yes, at least she LOOKS female.
          • You've never met a Mac geek girl.

                  You can keep them. Perhaps I'm spoiled, since I live in latin america. Oiga, las mujeres down here are, well, guapissimas :)

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.