Latest Version of MyDoom Exploits New IE Flaw 435
techentin writes " CNN Money is reporting a new and improved MyDoom variant which is spread by a hyperlink in email. Clicking the link connects the user to an infected machine, which exploits a recently discovered buffer overflow in Internet Explorer. McAfee has a more detailed description. Is this yet another good reason for running Firefox?" CNET also has a story.
Awww, Microsoft is so sweet (Score:5, Funny)
Re:Awww, Microsoft is so sweet (Score:5, Funny)
Re:Awww, Microsoft is so sweet (Score:2)
Re:Awww, Microsoft is so sweet (Score:4, Funny)
Re:Awww, Microsoft is so sweet (Score:3, Funny)
Re:Awww, Microsoft is so sweet (Score:4, Funny)
Re:Awww, Microsoft is so sweet (Score:4, Funny)
public-release
pre-release
post-ready
potentially-redhot
protected-by-raven
pissed-on-redmond
Re:Awww, Microsoft is so sweet (Score:3, Funny)
CNN Story (Score:5, Insightful)
One of the coworkers downloaded FireFox right away. I actually expected him to take a little while to wean off of IE. After I showed him FireFox's features, however, he set FireFox to his default browser and deleted his IE shortcuts! I think we're definitely making headway.
Re:CNN Story (Score:5, Insightful)
Okay, I'll grant you that FireFox is probably more secure than IE. But to say it lacks security issues is going a little further than I'd go, myself. In fact, I'd be willing to bet you $10 that it has security issues of it's own.
Don't sell your friend a dream. Set his expectations realistically. No software is bulletproof. No software lacks security issues.
Firefox f-ing rocks, no doubt about it. It blows IE out of the water. It probably has far fewer security holes. But to say it "lacks security issues" is naieve.
Don't believe everything you read on slashdot. A lot of these people have an agenda to meet.
Re:CNN Story (Score:5, Interesting)
Remember how FireFox handled the download bug? Old copies of the browser would actually be redirected to an auto-update site. Click a button, wait for a few kb download, and voíla! A secure browser.
until someone discovered a bug that redirects... (Score:4, Insightful)
Re:until someone discovered a bug that redirects.. (Score:2)
Now of course, it doesn't require the use of SSL, so it would be possible to trick FF from downloading malware from another site, if the attacker can spoof DNS replies, or edit your hosts file.
Software without security issues: (Score:3, Informative)
Don't sell your friend a dream. Set his expectations realistically. No software is bulletproof. No software lacks security issues.
Hmmm.... I can think of one:
how about:
#include
int main(){
printf("Hello World!\n");
}
I dare you to find a security hole or other issue in that one! Probably better to say "it is unlikely that any nontrivial software will be without security holes or considerations."
I run Qmail, and it certainly has its security considerations (no holes though). Security issues with Qmai
Re:Software without security issues: (Score:2, Funny)
Re:Software without security issues: (Score:2)
Your trust is misplaced (Score:3, Insightful)
you're trusting your compiler and linker to provide you with the expected behaviour from compiling and linking your source code
you're trusting the kernel to not modify the behaviour of the syscalls required to print
you're trusting the CPU to execute the instructions you think it executes
Reflections on Trusting Trust [bell-labs.com]
Ken Thompson
Re:Your trust is misplaced (Score:2, Insightful)
We are -ASSUMING-, when evaulating code for security-conscious methodology, that the environment functions as advertised.
Your examples are very nice for theoretical discussions, but some of us don't live in the classroom, we live in reality, where software re
Re:Software without security issues: (Score:3, Insightful)
(pseudocode)
program "evil":
main(){
close STDERR;
exec passwd;
}
program "passwd" running setuid
main(){
open >
print STDERR "Password: "
}
Oops. The password file just got deleted. Security is hard
(The reason? File descriptor STDERR is usually #2. However, fd #2 is closed and replaced with
Re:Software without security issues: (Score:5, Informative)
While your assumptions are most likely correct, complacency is the friend of the buffer overflow. Depending on your implementation of the clib, printf, usually considered safe, could possibly be a problem - particularly as it ends up using the locale system and the user settable LC_NUMERIC to determine how to represent numbers, radix, etc.
My favourite printf gotcha however is the seldom used %n conversion character - unlike it's brethren, this one writes data to the pointer in the argument list ( the number of characters printed so far ). This can be used to scribble over various pointers in the arg list and is why you should never, ever allow users to provide format strings to the program without vetting them first.
YLFIRe:Software without security issues: (Score:3, Informative)
It doesn't return a value from main() which may cause a compiler to do funky things with the stack.
Even worse argc and argv are not passed correctly so the function will be called with more parameters than it accepts.
There's no attempt to determine the status of stdout - if redirected to an offline printer this software would crash.
The users locale settings are not taken into account.
The user friendlines of this software
Re:CNN Story (Score:5, Insightful)
It's like saying a program lacks features. Obviously you don't mean it has no features -- just that it lacks features, WHEN COMPARED TO ANOTHER PRODUCT.
Re:CNN Story (Score:3, Insightful)
Re:CNN Story (Score:2)
http://www.squarefree.com/burningedge/releases/
Yes, 9 potential security holes fixed, and I doubt it was all. In any case, you're recommended to upgrade ASAP for these reasons alone.
Re:CNN Story (Score:5, Informative)
I don't typicaly get these things installed unless it is an automaticaly installing problem however my friends and family all had problems with Internet Explorer getting bogged down with this crap. I know once I install firefox I'll have a lot less crap to clean up when I next fix their computers.
Re:CNN Story (Score:4, Insightful)
The last security bug I remember hearing about in Firefox had a working patch to fix the problem very quickly. In fact, it was released by about the time I had finished reading the alert in the first place. Microsoft, on the other hand, takes considerably longer.
It's one thing to admit there are security vulnerabilities in Firefox. There have been, and there will continue to be vulnerabilities discovered in Firefox. But as long as the Firefox community fixes these vulnerabilities as quickly as they have in the past, I don't think it's fair to say that Firefox has security issues.
Microsoft, of course, has both security vulnerabilities and security issues. It becomes an issue when the vulnerabilities aren't dealt with quickly enough.
Semantics, I know.... But there is a crucial difference.
Re:CNN Story (Score:3, Interesting)
It is also your file system browser.
Integrating a web browser (i.e. the program that messes around with places of questionable authenticity) with your file system browser (the program that connects with your most sensitive files) is just insane from a security point of view.
Re:CNN Story (Score:5, Funny)
Re:CNN Story (Score:2)
Re:CNN Story (Score:3, Funny)
Don't delete the bookmarks! (Score:2)
Firefox converts your Microsoft® Internet Explorer favorites for you [bathspa.ac.uk].
Re:CNN Story (Score:2)
Lately, I haven't even had to *try* in order to spread alternative browsers. I don't go to them - they come to me!
I get calls on a regular basis from different friends and family members. The problem is almost always the same: their computer has become so bogged down with spyware and malware that it's nearly useless.
Their computers are so gummed up, they practically beg me to install a different browser! And I don't know of any of them that have gone back to IE since.
Honestly, I get so many reques
Re:CNN Story (Score:2)
Re:CNN Story (Score:5, Informative)
1) Go to www.BigNewsSiteorFaveBlog.com
2) Decide you want to read 15 of the 30-40 news articles available to you.
Then either:
3-Tabbed) Click on the things that look interesting, and keep clicing on interesting while the 15 news articles load in separate tabs. By the time you've clicked the 15th thing, 10 of the 15 articles have already loaded and been rendered for you in their tabs. Hover the mouse button over an "X", and click once to close the tab without moving. (sweet on a conventional mouse, and really sweet on a touchpad-based laptop!)
or:
3-Untabbed-option-1) Click on the interesting thing. Click "back" (hoping that the stupid marketroids at the website haven't borked "back" on you). Click on the second interesting thing. Wait for the HTTP session to start. Read the article. Click "back" (and wait for the HTTP session to start as the original reloads). Click on the third interesting thing. Wait for... [repeat 15 times].
or: 3-Untabbed-2) Click on the interesting thing in a new window. When window focus changes to the newly-popped-up window, curse, and click on the first browser window. Click on the second interesting thing to pop up the next article in a new window. When window focus changes, curse, and click on the first browser window. [ ... repeat 15 times.]
If you read at the pace of a slug, and/or spend more time scrolling the article because you render all fonts in 24-point Gothic, tabbed browsing offers little advantage, because you spend a lot more time reading and scrolling through the article than you do loading and rendering it.
If you read quickly, and/or cram enough text onto the page to see an entire page with one or two presses of PgDn, the 500-1000 milliseconds of HTTP session initialization, page-loading, and HTML-rendering time is an appreciable fraction of the time you spend reading an article. For CNN articles, we're talking about 5-10 paragraphs of text (5-10K of text, tops) and hundreds of kilobytes of frames, ads, banners, style sheets, and other crap that has to come down the pipe (often requiring multiple HTTP sessions to different websites - DNS lag can also come into play), and that ratio can be significant.
Anything you can do to minimize the amount of time you spend waiting for content relative to reading content is a Good Thing. The larger that ratio of waiting:reading is, the bigger the advantage offered by tabbed browsing.
LIES (Score:3, Funny)
Re: (Score:2, Funny)
In other news... (Score:4, Funny)
teach kids that IE is dangerous (Score:5, Funny)
Re:teach kids that IE is dangerous (Score:5, Funny)
Re:teach kids that IE is dangerous (Score:2)
Re:teach kids that IE is dangerous (Score:2)
Hey, well using Firefox is like having sex in public...
"No, you're doing that wrong! Here, do it this way instead."
"Haha, look at his exploit!"
"Err... it would be much more efficient if you stuck that thing over here instead."
"Hey hey hey, at least he's using protection! If you suspect that something is wrong, we can always audit them!"
Wow! (Score:5, Funny)
Re:Wow! (Score:2)
Quite a few actually. And for those who have upgraded to XP-SP2, the MyDoom varients are a non-issue. Double MyDoom for Internet Explorer [com.com]
big deal (Score:5, Funny)
Re:big deal (Score:2)
A good reason for using Firefox, or ... (Score:3, Insightful)
users could pull their heads out of their asses and stop clicking on links in SPAM.
Re:A good reason for using Firefox, or ... (Score:2, Insightful)
Re:A good reason for using Firefox, or ... (Score:2, Insightful)
After watching the election this past week, I'd have to agree with you there.
Re:A good reason for using Firefox, or ... (Score:5, Insightful)
Bzzzt, wrong answer.
Most viruses come from people you know, since they exploit the address book feature. Most spam comes from people you never heard of.
Thus, it is the links in the e-mail from people you KNOW, not spam, that is the problem.
Re:A good reason for using Firefox, or ... (Score:2, Informative)
did you RTFA? People I know don't send me emails about my ebay account.
Re:A good reason for using Firefox, or ... (Score:5, Insightful)
Re:A good reason for using Firefox, or ... (Score:2)
Could be a trick (Score:5, Funny)
Good timing (Score:2, Funny)
http://www.mozilla.org/products/firefox/ [mozilla.org]
Better the losing side. (Score:5, Insightful)
You mean like... (Score:2, Insightful)
Re:Better the losing side. (Score:2)
Re:Better the losing side. (Score:2, Funny)
Re:Better the losing side. (Score:2)
Re:Better the losing side. (Score:2)
Re:Better the losing side. (Score:5, Insightful)
Sure, but will those flaws in Firefox as serious as the flaws in IE?
It seems like when Microsoft attempted to integrate IE with the OS, IE was allowed access the OS in some very dangerous ways.
For instance, why would earlier versions of IE write files to any directory without asking the User for permission?
Not as much of a problem though (Score:5, Informative)
The largest problem (mostly the cause of spyware rather than viruses though) is the issue of ActiveX scripting. Because ActiveX controls are trusted on the basis of vendor signature, and because someone can force an old version to be downloaded and installed, it means that no security patch can protect you against a malicious site scripting against a bug in an ActiveX control signed by a trusted vendor. No security patch can be writte to do this without breaking *every* ActiveX control in the internet.
The second issue is that of security zones. This allows an attacker to exploit any flaws that come with the enforcement of such zones. This is an issue for viruses and spyware alike.
Now, it is possible that a new as yet unimagined sort of attack will eventually be possible against some type of functionality in Mozilla. At least one type has (XUL files spoofing interfaces), but if these become a problem, it is open source, and so you or anyone else can pay for somone to make a version with a different structure. If enough people switch, the process begins over again. But each time, I think we are safer.
Also: mozilla arent so aggressive (Score:4, Informative)
Windows Update? Active-fucking-X. So unless you move http://*.microsoft.com/ into trusted zone (ramped up to medium security), you cannot get security updates without enabling ActiveX download and scripting.
Even in WinXPSP2, there is still that trusted zone that gives unlimited rights. Like download unsigned activeX controls without prompting. There is nobody I'd give that right to, not even myself. Yet they have it.
Plus all the MSN content pushes AX at you. At least Expedia are not that daft; you can shop there with Firefox. But check out a pure MS site
like the channel9 developer site [msdn.com]; ActiveX, windows everywhere. No attempt made to evangelise to the rest of us
HOMOGENEITY (Score:2)
Having a 50%/50% split in popularity among browsers will reduce attacks simply because exploiters get less benefit and have to do more work. If we can get that to 25%/25%/25%/25%, then exploiters will move on to some more attractive target, and simultaneously, each of the four browsers will focus much more on standards compliance.
ClamAV stopped this 5 hours ago (Score:3, Interesting)
Happy to see that ClamAV had the pattern files through a cron job 5+hours ago.
Re: (Score:2)
but bad timing for the add (Score:2)
Two weeks draws the Firefox add fully into the vortex of the Christmas shopping season. Every upscale retailer in the northeast is competing for prime space in the NY Times. They get the white meat, the Moz Foundation, the gristle.
more info about the virus (Score:3, Informative)
Re:more info about the virus (Score:2)
sp2 (Score:2)
Re:sp2 (Score:3, Interesting)
If only (Score:5, Funny)
Oh well.
SP2 (Score:5, Informative)
Scary social engineering (Score:4, Interesting)
----
Re: my bill
From: [from address, probably spoofed]
To: [My adress]
Requested file.
+++ Attachment: No Virus found
+++ [Name of antivirus software] - [website of antivirus software]
bill.zip
-----
The zip contained a pif file with a
Particularly scary social engineering, since it claims to be from an anti-virus company that I'm actually familiar with.
This may be a new strain (Score:2)
So this may be a new strain of virus.
I've sent the sample to a virus company.
Microsoft should be praised for IE. (Score:5, Funny)
Another reason Windows isn't ready for the desktop (Score:5, Funny)
I've been running Linux on my main desktop for years, and recently I've really been considering switching to Windows. After all, it's got some cool apps, and while I wouldn't call it "feature complete", I say they've done a good job of implementing many of the best features of Linux and OSX. However it's articles like this that convince me it's still a bit early to switch to Windows.
All told they've made some real inroads in servers, and the desktop experience is improving with each release (the current unstable branch -- AKA "XP" -- has implemented the theme concept long popular in KDE and Gnome!) however I think it's still premature to declare Windows ready for prime time on the desktop.
I hate to be picky... but.... (Score:3, Insightful)
Re:I hate to be picky... but.... (Score:3, Informative)
http://en.wikipedia.org/wiki/Inchworm [wikipedia.org]
Impressive... (Score:3, Insightful)
Beware of bugs in the above code; I have only proved it correct, not tried it. -Donald E. Knuth [stanford.edu]
Install SP2 You Dummies (Score:5, Informative)
Or Windows XP SP2, which is not vulnerable.
What kind of imbecil runs XP but not SP2?
Re:Install SP2 You Dummies (Score:2, Insightful)
Re:Install SP2 You Dummies (Score:2)
Maybe someone who read this [slashdot.org] article and doesn't want to take the chance with their main machine.
Re:Install SP2 You Dummies (Score:3, Insightful)
What kind of imbecil runs XP but not SP2?
What's easier to change, Windows 2000 => XP SP2 or IE => Firefox?
For a corporate evironment (where, in many cases, most still run Windows 2000), I think I know which.
Re:Install SP2 You Dummies (Score:2)
However, as I don't use IE as my primary browser and SP1 will be support by Microsoft for some time I don't feel compelled to upgrade to SP2.
Re:Install SP2 You Dummies (Score:3, Insightful)
I do, why upgrade? XP SP2 is slower, has even more annoying widgets, and there is a considerable risk that my computer won't boot anymore if I install it. I think the big question is what kind of imbecil still runs IE, even if they have XP SP2?
Sensationalist /. headlines (Score:5, Informative)
Will microsoft release a knowledge base article (Score:5, Funny)
Re:Will microsoft release a knowledge base article (Score:3, Informative)
http://support.microsoft.com/default.aspx?scid=kb
New Exploits improves IE? (Score:2, Insightful)
buffer overflow protection? (Score:5, Interesting)
buffer overflow protection:
http://vil.nai.com/vil/images/vse80i
I mean if my program has a buffer and I want
to overflow it have can they stop it. The screenshot mentions APIs so make it just knows about the Win32 APIs.
Why the big Firefox push? (Score:2)
Rather than going for the still-beta Thunderbird, why not just go the whole hog and install Mozilla proper? You get all of Firefox's features and considerably more.
The only niche I can see Firefox/Win32 filling is for people who don't want to run IE, but for some reason don't want to run Mozilla Mail (which is rare at least in these parts).
McAfee VirusScan (Score:5, Interesting)
Now how's that for secure?
I may never, ever figure out the mentality of that decision.
Re:McAfee VirusScan (Score:3, Insightful)
I think I am missing something. Are you saying there are normally Windows versions of Dell machines that come without IE?
Didn't think so.
Re:McAfee VirusScan (Score:4, Informative)
Yes, I was recently forced back to the Windows world for one mind numbing week.
SP2 immunity (Score:5, Informative)
"Users who have installed Windows XP Service Pack 2 are immune to the programs that use the vulnerability, including the two new variants of the MyDoom virus."
Re:SP2 immunity (Score:3, Insightful)
IIRC, for every XP computer, there is one computer running Windows 2000 installation, and probably one running Win9x too. I wonder if this is the sooner updates is one feature Microsoft is trying to have to push people to upgrading.
Re:SP2 immunity (Score:4, Insightful)
What you moderators need for this story... (Score:2, Offtopic)
You moderators really need a tool to seperate the wheat from the chaff. The trolls from the instightfuls. You need my
Super Dooper Slashdot Moderator Tool Extension Thingy for Firefox! [webeisteddfod.com]
Take your moderation skills to the next level... today!
Re:What you moderators need for this story... (Score:2)