Extremely Critical IE6/SP2 Exploit Found

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

Test site

[Dancin_Santa]

They've also posted a test site [secunia.com].

No, you click it first.

Re:Test site

[Sirch]

Hooray for Windows 98!

Never thought I'd be saying that... *sigh*

Daft headline too...

[doodlelogic]

It's either critical or it isn't. "Extremely" is redundant.

Re:Test site

[MarkRose]

I click it but nothing happens. When are site designers going to learn there are other browsers besides IE? Don't they know that Firefox's market sharing is growing? Clueless idiots!

Re:Test site

[Alsee]

If Firefox is going to have any chance at competing then the developers are going to have to get on the ball and implement fully compatible functionality. It is absolutely unacceptable that the Secuna test site does not function as intended.

I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard. It is up to us to ensure that if it works in IE then it will work in Firefox just as well, if not better.

-

No luck with Safari, either

[Ohreally_factor]

I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.

Re:Test site

[Citizen of Earth]

I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard.

I think that the Firefox developers should give credit where its due. They should organize another pledge campaign to raise $10,000.00 to give to Microsoft as a token of good will for all of the advertising that Microsoft has done for Firefox. Although the actual advertising contribution of Microsoft is at least a thousand times greater, this would help coax Microsoft toward continuing their generous support and [this is the serious part] the press would eat it up, contributing another $5M worth of free advertising.

Re:Test site

[l3v1]

Also, please keep in mind that Firefox has had more high/critical security vulnerabilties in the last year than IE has

Uhmm, without checking, just remember that most of the holes IE has are years old. Who cares whether Firefox had more bugs in a time period, if those get damn quickly corrected, and btw most of last years' FFox holes are only pre-1.0.

And one more thing: the dogs ass, maybe that's not the worst place one can be :) At least FFox users are out of that ass, while those with IE... well use y

No explanation about what the test does...

[kiddailey]

What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).

All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?

Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:No explanation about what the test does...

[js7a]

This is a pretty good security advisory. It looks like it was actually meant to be understood by end users, and not just other security professionals. Then again, it seems to be taking a measurement without obtaining explicit permission first, and I'm sure that makes people nervous. But under the circumstances, it's probably not a bad decision to just go ahead. I mean, why not?

Re:That's exactly my point...

[irc.goatse.cx troll]

Launches the new IE window using cmd /c iexplore.

Re:No explanation about what the test does...

[beelsebob]

Probably because cmd.exe (and iexplore.exe) are found in C:/windows, and it needs the full path to lauch one in the first place.

Re:No explanation about what the test does...

[Kris_J]

This is why I didn't bother to "fix" it when my system drive set itself up as E: the last time I rebuilt a home PC.

Re:No explanation about what the test does...

[mattyrobinson69]

No, internet explorer belongs here:

\Program Files\Internet Explorer\Iexplore.exe

Sounds like youve got a virus

Re:No explanation about what the test does...

[LiquidCoooled]

The test requires the C:\windows folder because it directs the Help display control(hhctrl.ocx) to a default help files stored within the windows folder:

"c:/windows/help/ntshared.chm"

Once this help object is loaded, it can be activated, and malicious code can be injected using a second instance.

Without a known help file location, the script is useless.

Re:No explanation about what the test does...

[Rick Zeman]

Probably because cmd.exe (and iexplore.exe) are found in C:/windows, and it needs the full path to lauch one in the first place.

I don't know anything about this subject but I guess that IE doesn't have access to any system variables like %windir% and the code can't do %windir/cmd.exe and thus also exploit Win2k or NT4 with IE 6 installed?

Re:No explanation about what the test does...

[0x461FAB0BD7D2]

The Secunia test uses the ntshared.chm MS-HTML help file, via ActiveX, to call this script [secunia.com], which, in turn, starts a new IE which goes to this site [secunia.com].

The JMCardle test does something similar, but calls this script [jmcardle.com] instead, which just runs

mkdir C:\\ie6vulnerability.jmcardle

in Command Prompt

Re:Test site

[CerebusUS]

This is NOT a new vulnerability. This is an upgraded severity on a vulnerability that was reported almost 3 months ago:

From the article:
Secunia Advisory: SA12889 Print Advisory
Release Date: 2004-10-20
Last Update: 2005-01-07 ...

Changelog:
2004-10-21: Updated advisory.
2004-10-28: Added another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
2004-11-02: Updated with additional information in "Description" and "Solution" section.
2004-11-29: Updated "Description" section with additional information from Paul.
2004-12-23: Added link to US-CERT vulnerability note.
2004-12-25: Updated "Description" section with additional information from Paul and Michael Evanchik.
2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections.

So they upped the severity rating and added another workaround. This isn't really news. You've been vulnerable to this for almost 3 months now.

Re:Test site

[Red Pointy Tail]

What you mean is that we have been vulnerable to this since IE6 was available waaayyyyy back, but it wasn't known until 3 months ago, and that they just realised how easily exploitable it is 2 days ago.

So what you're telling me is that

[TrekkieGod]

this has been known for 3 months and there are still no patches available from microsoft? According to windows update, I'm fully patched, according to their test page, IE is still vulnerable. I think that's even worse than it being a new vulnerability.

Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?

Re:So what you're telling me is that

[CerebusUS]

No, What I'm telling you is that this article was written and posted to provide fodder for a flame war.

You are still vulnerable because Microsoft has determined that this vulnerability is:

a) unpatchable without ruining the functionality of the product

and / or

b) not a large enough threat to worry about.

Now I'm _not_ going argue whether either of these points is correct or not. But to present these as "New exploits" is typical Slashdot anti-journalism. they did the same thing when they announced the "New" vulnerabilities for Firefox [slashdot.org] a few days ago. Those were not new either, but neither the submitters or editors bothered to read the articles that were submitted.

Re:Test site

[m50d]

OK, you find me a more critical vulnerability. One that allows nuking the bios maybe, but other than that I can't think of such a thing.

Re:Test site

[skraps]

You could flash the BIOS, but the way to do that is pretty vendor-specific. I think what the GP really meant was "nuke the CMOS" - erase the settings. That can be done from software, and is generally not vendor specific. However, you will need admin privileges to do it on windows NT, 2000, XP, and 2003.

Re:Test site

[farnz]

It allows a malicious web page to do anything on your system that you can do locally; if the user you run IE as can do it, the attacker can do it too. So, if you can read these critical files, the attacker can, too. If you can modify them, guess what? The attacker can change them too.

If I were a black-hat planning to exploit this vulnerability, I'd put a remote control program like Back Orifice and a HTTP tunnelling program onto the web for BO to use for connectivity. Then the exploit downloads and install

But can it be used to...

[FullCircle]

delete IE?

or maybe install Firefox?

Script? Written -- Enjoy!

[Pavan_Gupta]

http://www.people.virginia.edu/~pg8p/ [virginia.edu]

It downloads firefox, and begins the installation -- that's it.

I could've very easily move iexplore.exe and adjusted icons and everything, but let's play this the white hat way. Enjoy amigos!

Re:But can it be used to...

[BitchKapoor]

As a matter of fact you can delete IE, but Windows quickly restores a backup copy of it from somewhere. However, if you copy another file over C:\Program Files\Internet Explorer\IEXPLORE.EXE or even just delete it and quickly rename another file to IEXPLORE.EXE before the backup is restored, Windows doesn't seem to revert your changes (this is probably to allow upgrades). I'm not sure how Windows decides when and how to make a backup. When I replace IE by a simple text file, after deleting the text file,

Not working

[Anonymous Coward]

Hmm... I tried the Secunia site and IE just blocks the activex control, saying it's unsafe.

The jmcardle site gets past IE, but Norton detects it and immediately blocks access. Nothing happens.

Re:Not working

[weicco]

Internet Explorer Script Error

An error has occured in the script on this page.

Line: 2
Char: 324
Error: Unterminated string constant
blaablaablaa
Do you want to continue running scripts on this page?

Hell no!

Re:Not working

[ashot]

I have a fully pathched SP2, and it worked on me.. however I've disabled most of the ActiveX and other precautions because I don't use IE.

It fries Safari

[kiddailey]

Pardon the technical terminology :)

With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.

Re:It fries Safari

[mj_1903]

I did not get the beachball of death but a similar and expected result with the ActiveX plugin.

Re:It fries Safari

[coyotecult]

Beachball of death is just so much more fun and sunny sounding than blue screen of death! MS should've reworked their PR on that one.

Re:It fries Safari

[Alsee]

Ohhh geez, I can just imagine the image:

Blue sky
Bright yellow sun
White fluffy clouds
Cheezy rainbow across the sky, and under the arc of the rainbow:
A FATAL EXCEPTION 0E HAS OCCURRED AT 0157:BF7FF831
Green grass
Smiling happy sunflowers
Pink fluffy bunnies hopping around and singing happy happy songs and dancing with the sunflowers.
PRESS CONTROL+ALT+DELETE TO RESTART YOUR COMPUTER. YOU WILL LOSE ANY UNSAVED INFORMATION IN ALL APPLICATIONS.
HAVE A HAPPY DAY!

-

Re:Not working

[Zorilla]

I couldn't get the site to work on my 1936 Stutz Bearcat. I tried attaching an onion to my belt. It was a yellow onion because those were the style at the time...

Heh

[tektek]

Even a fully patched sp2 is in danger. Good news for Firefox fanboys?

Re:Heh

[molnarcs]

Bad news for everyone - except for some open source advocacy. Gives a nice opportunity to show how MS talks bullshit - when they talk about security. Did anyone notice the date when Microsoft was notified?

Provided and/or discovered by:
1) Discovered independently by:
* http-equiv
* Andreas Sandblad of Secunia Research (reported to Microsoft on 2004-10-13).

That's right, Microsoft "we take security very seriously" Corporation has known about this vulnerability for almost two months, yet they leaved it unpatched? Why?

Re:Heh

[Owndapan]

The exploit worked on my fully patched WinXP SP2 box, running EZ Firewall/Antivirus suite, and running as a non-admin user.

I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)

Re:Heh

[Anonymous Coward]

It's amazing how the WinFanboys can live in such denial. It's like people you know who live in a really bad neighbourhood and deny there's anything wrong. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours like sensible people you're perfectly safe". It's the old "Apart from how it's broken, it works perfectly" line. Used car salesmen use similar techniques. "She

Re:Heh

[Anonymous Coward]

Yeah, if your grandma hasn't spent at least $50 on third-party security software plus a yearly antivirus subscription fee, plus made sure to configure her firewall correctly and run virus and spyware scans weekly, plus made sure to create a restricted user account that she runs IE under, why then she has only herself to blame. Obviously Microsoft is doing everything in its power to protect her.

Re:Heh

[R.Caley]

...But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected.

And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves. When you saw those precautions advised in the manufacturer's literature, would you buy the car?

Re:Heh

[Master of Transhuman]

"But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected"

Right - and Granny isn't supposed to be able to run Linux, but she can do all that security stuff on Windows, right?

Well, I actually believe she can IF someone tells her she needs to...

And she can learn Linux, too, if she decides Windows is a piece of bloated, unreliable, unstable, expensive, insecure CRAP...

How many YEARS pas

Non-admin won't help you much

[MarkByers]

creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.

Delete files?

[lachlan76]

One would assume that any vulerability that could run arbitary code would be able to delete files.

Re:Delete files?

[Spy Hunter]

Exactly. Even on vulnerabilities that can execute arbitrary code, they always list a bunch of other silly little things they can do, like cross-site scripting or my personal favorite "view the content of arbitrary files in known locations".

If they reported the evening news the same way it would sound like this: "Today terrorists announced they have armed an atomic bomb in the middle of Los Angeles. They also announced that they have control of several hand grenades and also some water balloons and cap guns, and they're not afraid to use them!"

Re:Delete files?

[lachlan76]

Actually, I would have said it was more like "Today terrorists have announced that they have armed an atomic bomb in the middle of Los Angeles. If it goes off, it may burn you!"

Re:Delete files?

[wfberg]

One would assume that any vulerability that could run arbitary code would be able to delete files.

Not necessarily. If the arbitrary code is run in a restricted security context (e.g. Guest User, sandbox, restricted zone/role/capability) it shouldn't be able to delete files it has no acces to. The exploit would need to run a second exploit for privilege elevation.

Thankfully, in Internet Explorer's ActiveX security model none of all that is necessary, greatly speeding up the development of worms.

A worm that deletes everything.

[caluml]

We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"

Re:A worm that deletes everything.

[Neuroelectronic]

Such a worm wouldn't spread very far...

Re:A worm that deletes everything.

[ashot]

You could have it run and spread itself for a few days, and then delete all the files. Or delete all the files only after it infected X other computers.

Re:A worm that deletes everything.

[caluml]

Or just used Windows file encryption to encrypt a load of stuff, and then change the passwords for all the accounts. Chances of people backing up their encryption key, but not patching their boxes are very small.
Change a few fields in spreadsheets too might be fun.
Post stored usernames and passwords to newsgroups..

Re:A worm that deletes everything.

[LewsTherinKinslayer]

"We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people""

Similarly, we need a firebug to go around lighting people's houses on fire to show how having smoke detectors should be a high priority.

I realize you're not being 100% serious, but this reasoning is stupid.

Re:A worm that deletes everything.

[caluml]

Mmm, not quite the same. Smoke detectors don't prevent the setting on fire. They just warn after the fact.

Re:A worm that deletes everything.

[CrackedButter]

Your comparision is wrong, a lot more people are aware of firehazards in the home. Compare the number of burning houses to systems infected worldwide daily.

When it comes to computers, people are generally ignorant other than to learn what they need to, knowing somewhat that computing as a whole is huge, they just want to get their work done and who can blame them?
Parent is right, we need something really destructive for people to be really pissed off and think about what they are doing or not doing. Y

Re:A worm that deletes everything.

[eofpi]

Well, there's always hoping for this [dansdata.com] to happen....

Re:A worm that deletes everything.

[tom1974]

That would make keeping your computers patched a high priority for most of the users.

What has that to do anything with this story? RTFA and please stop blaming the user for everything.

Running WinXP SP2 and fully patched system. I run Norton anti-virus, spybot, Ad-aware and now MS Antispyware and enabled autoupdate.

Checked out Secunia, ran their test and my system was found vulnerable.

What more should I patch?

Re:A worm that deletes everything.

[Anonymous Coward]

What more should I patch?

The OS! I'm serious, when will people realize this: You are running a fully-patched system, with an antivirus, 3 spywares detectors and enabled autoupdate. I have Li**x and I need nothing, I work with it, and it works as expected.

Re:A worm that deletes everything.

[caluml]

Running WinXP SP2 and fully patched system. I run Norton anti-virus, spybot, Ad-aware and now MS Antispyware and enabled autoupdate.

You're Microsofts wet dream, aren't you? :)
I admit, this flaw isn't patched. But most of the time, the worm/virus uses old exploits.
Anyway, my point was that it would illustrate the fact that many many people (90%?) are using a flawed OS and browser combo.

Re:A worm that deletes everything.

[caluml]

I'm genuinely curious. Why isn't it up to you?

Re:A worm that deletes everything.

[Taladar]

So why are you allowed to install a dozen third-party apps to deal with IEs flaws but no alternative to it?

Re:A worm that deletes everything.

[skiman1979]

It's a shame that Windows users need to install antivirus, spybot, ad-aware, and other scanners (and run them on a monthly...weekly...daily basis to keep their computers clean. Also, don't forget about regedit. Seems Windows registry likes to corrupt itself. I dread the day that Linux gets to that point.

Re:A worm that deletes everything.

[jamesh]

wouldn't be a worm or virus then, unless it somehow propogated. If would be a worm though if it _first_ looked for local web servers with write permission allowed from the current user (eg on same intranet), infected those, then deleted files from the users computer.

Now we use IE6 and XP only for banking

[Green Salad]

It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!

Re:Now we use IE6 and XP only for banking

[davids-world.com]

I don't deal with the financial sector professionally, but all my private homebanking with 4 banks in three different European countries and a broker work just fine without IE (I use Safari = KHTML). No ActiveX there - I believe it's state of the art not to use IE specific stuff. (But I guess I wouldn't choose a bank in the first place that requires stuff like IE or even Windows...)

Heh.

[BJH]

Yeah, similar thing here - I use either Mozilla or Firefox at work and at home for pretty much everything, but the company timesheet site and internal website (including things like the phonelist) refuse to work under anything other than IE.

Good work guys, it wouldn't have taken any more than a couple of days to figure out how to get your frigging menubar to work in a way that didn't require the security equivalent of a gigantic Swiss Cheese.

Re:Now we use IE6 and XP only for banking

[SharpFang]

Switch to providers who don't lock you in with crappy service. And tell them clearly "Supporting only insecure Microsoft products you don't meet our security standards. Good Bye!"

I'm not a big company, I'm just a private user. I very recently switched banks I use for personal finances. I left a "common" bank with its units in in several thousands of locations, and introducing new fees and increasing old ones now and then to maintain them all, and with quite crappy and really expensive Internet service, that was supposed to work in Mozilla/Firefox but it more often didn't than did, and I signed up for an Internet bank. Reduced costs of maintenance resulting in zero fees on all operations and account maintenance, no other fees, (except of withdrawal from ATM, very cheap too), and as they are an Internet bank, finally a REALLY professional Internet service. Working flawlessly in any browser, probably including Lynx :)

I don't know how it works for big companies but I strongly encourage you to leave your old-fashioned banks and move to "Internet banking". Reducing number of channels where money flows lets them focus on keeping the channels they maintain highest quality.

Whoa

[FractusMan]

I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.

it's not a vulnerability...

[i 3 joo!]

it's an IE feature.

Surfing with IE

[The Bringer]

I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.

check if your vunerable

[blackest_k]

http://secunia.com/internet_explorer_command_execu tion_vulnerability_test/ [secunia.com]
is a test page containing a link if you left click on it and a window opens your vulnerable (it didn't do anything in Firefox)

Phew, Slashdot's back to normal

[Anonymous Coward]

#!/microsoft/bash

After today's pro-Microsoft articles, its about time we got back to bashing!

Is anyone still using IE?

[Chromodromic]

Yeah, well, I guess corporate IT depts are probably struggling with mgmt to implement company-wide changeovers, especially for all those companies that are Microstooges and have big service and standardization contracts, yadda yadda yadda. But for all you individuals out there who aren't experiencing the Browsing Bliss that is Firefox, preferring IE to downloading a small file and doing a simple install, well, I don't pity you any more than anyone who walks into a dynamite factory and says, "Man, it's dark

Pff,

[Anonymous Coward]

You know what? I'll just stop using the internet. I'll just .................

Fairly simple solution

[jazman]

although it requires a bit of messing around. IE - Tools - Options - Security.

select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.

select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.

This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.

Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.

Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.

Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.

Your solution breaks McAfee virusscan

[PommeFritz]

As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).

Re:Fairly simple solution

[nagora]

What the hell is wrong with people?

1. People really do fear change,
2. Microsoft has succeeded in producing a massive lock-in with their products,
3. Many people, wrongly, think that a "big name", whether in computers or cars or whatever, means big support and that small companies can not have the resources to make "fully functioned" products. The trick here is that many of the extra functions were added to push the upgrade sales, not for any utility,
4. Many people are stupid,
5. Large companies get quiet "bonuses" for

Sophos Anti-virus detects pages using this exploit

[kasihan]

I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:

http://www.sophos.com/virusinfo/analyses/expphela. html/ [sophos.com]


EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.

This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.

BFD

[Anonymous Coward]

I don't see what the big deal is. Provided that all of your users are rocket-scientists that never, ever do anything stupid that allows any hostile code access to their machines, then all your company's intranet sites should be safe and aren't going to include this IE exploit. IE will remain safe to use.

As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."

Re:BFD

[Ghostgate]

"Fool me once, shame on you. Fool me 621498 times, shame on me."

GWB said that, right?

Ya I pretty much have to recommend no IE now

[Sycraft-fu]

I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.

The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.

So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.

Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.

What did Microsoft do to SP2

[Nuskrad]

I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?

The expliot is specifically coded to target SP2

[WD]

The code for the web page is designed to specifically target Windows XP SP2. The code modification required to make it target multiple versions of Windows is trivial.

Help me!!

[Piranhaa]

Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test [secunia.com] that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'

Computer specs: iBook g3 800mhz...

I hope that helps a little

SP2 - any effect?

[rseuhs]

It looks like SP2 was just the usual patch-collection and the crackers just needed a little bit time to adapt to it.

According to their own test...

[gatkinso]

...this unpatched XP laptop is not vulernable to the exploit.

Guess it isn't as extremely critical as they say.

McAfee virusscan itself is also affected in a way!

[PommeFritz]

I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.

Re:McAfee virusscan itself is also affected in a w

[eraserewind]

AVG Antivirus.

Re:McAfee virusscan itself is also affected in a w

[zerocool^]

I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.

If you'd like to see it in action, go to Trendmicro.com/download [trendmicro.com] and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.

This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.

~Will

Re:McAfee virusscan itself is also affected in a w

[kryptkpr]

AVG Personal Edition [grisoft.com]

Re:McAfee virusscan itself is also affected in a w

[omicronish]

That's pretty amusing. A virus scanner that relies on a component that may be a vector for viruses and trojans, and a known vector for spyware.

Embedding IE is simple for the programmer, but the security settings are so confusing for the user that it's possible to inadvertantly tighten security too much for local applications, which causes the errors that you speak of. After the existence of security holes themselves, I think the next worst part about IE is its incredibly confusing set of security settings,

Reported to Microsoft ...

[un1xl0ser]

In case anyone missed this, it was reported to Microsoft on 2004-10-13.

Three months later, no sign of a patch.

good reflexes

[camcorder]

...(reported to Microsoft on 2004-10-13).
That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.

This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.

Re:liars!

[djplurvert]

Well, you've been lucky, one of these days you are going to run afoul of one of the more dangerous internets.

Re:Nothing to see here....

[LewsTherinKinslayer]

This post is both insightful and flamebait at the same time. I love how objective people are(n't.)

Re:Nothing to see here....

[aixou]

I believe there are now exploits in the wild, or exploits poised to get out in the wild -- which is why the rating was increased.

Having a vulnerability is like having a broken lock on a window. An exploit of that vulnerability is a burgular who is going around your neighborhood using windows as the entry point. In my opinion, exploits are a more serious concern than the vulnerability itself and warrant the increased amount of news on the topic.

Re:But...

[ozmanjusri]

Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.

Not since December 27 2004, anyway...

"XFocus also reported a hole in winhlp32.exe, the Windows .hlp file parsing program. The vulnerability is forged from a decoding error within the .hlp header. A perpetrator can exploit the flaw by triggering a heap-based buffer overflow."
http://www.esecurityplanet.com/patches/article.php /11778_3452081 [esecurityplanet.com]

I don't recall any security issues with .hlp...

[kiddailey]

Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.

Yet.

Re:But...

[RAMMS+EIN]

``Secondly, why in the HELL is anyone using HTML files for help documents?''

Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.

And for the record: HTML is completely secure. It's just data that gets rendered. Security holes are always either in the code that processes the HTML (which is a problem with that code, not with HTML) or in extensions (which is a problem with the extension and the program that uses the extension).

Re:Mac

[northcat]

/hug Browsers-other-than-IE
/hug Linux
/hug FreeBSD
/hug OpenBSD
/hug NetBSD
/hug All-the-other-BSDs
/hug All-OSes-and-architectures-that-are-not-windows-on -x86