Highly Critical Hole Found in IE 336
dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control.
From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"
Patch available (Score:5, Funny)
Re:Patch available (Score:3, Funny)
Re:Patch available (Score:2)
They could have removed IE a long time ago but just decided NOT to.
Re:Patch available (Score:3, Funny)
That's because you're not done until you replace Outlook with Thunderbird
mirror (Score:4, Funny)
IE user, your house is on fire. Run for the hills! Go! Go!
Safest browser ever available (Score:4, Funny)
Re:Safest browser ever available (Score:5, Funny)
Re:Safest browser ever available (Score:5, Informative)
Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.
Opera - forever beta? (Score:2)
Re:Patch available (Score:5, Insightful)
Folks like Secunia can profit only when the patch takes a long time to develop. As long as it is a secret vulnerability, it has value. This vulnerability is the perfect example: MS was notified about this on 13/02/2006, 40 days ago. They had all the opportunity to fix it in this month's security patch, but thy did not. So the patch will come no earlier than 2 months after discovery - that's a huge window of exposure.
It was only when I have rediscovered the bug, and posted [seclists.org] an inquiry about it on the Full Disclosure mailing list, that Secunia rushed to finally publish the advisory. I must note that I did not develop the exploit independently, I simply piked it up on underground forums.
I say this is not "responsible disclosure", and that it is *irresponsible* to keep a bug of this magnitude unpatched for 2 months. Because there is a high risk that it will be found by the bad guys in the meantime - just like it happened with this bug.
--
Stelian ENE
Re:Patch available (Score:4, Insightful)
We're going to continue to look into this but remind you also that safe browsing practices can
help here, like only visiting trusted websites, etc.
The idea that the user should be careful about which sites they browse to is insane. It's hard to imagine a corporate culture that thinks this way, if it's a pervasive attitude, ever producing a reasonably secure product.
It's one thing to expect the user not to download an executable and then run it as Administrator. It's quite another to expect people to be "careful" which Google hits they click on.
Highly Critical Hole Found in IE? (Score:5, Funny)
Re:Highly Critical Hole Found in IE? (Score:4, Funny)
Perhaps it would save time... (Score:5, Funny)
Re:Perhaps it would save time... (Score:2, Funny)
Come on, the RFC on this [faqs.org] is several years old!
Damn networking hardware monopoly is hampering progress!
It is not a dupe! (Score:5, Funny)
It's a brand new hole!
--
Superb hosting [tinyurl.com] 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
Re:It is not a dupe! (Score:2)
Software is like sex --- every time you find a new hole, someone's going to try to screw you through it.
Hole? (Score:2, Funny)
Re:Hole? (Score:2)
Mod parent up (Score:2)
Just (Score:2, Informative)
Not possible. (Score:5, Informative)
Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist? [ubuntu.com]
Re:Not possible. (Score:5, Informative)
ActiveX really should only run from trusted sites anyway.
misplaced trust (Score:3, Funny)
You gullible, gullible fool : )
Required for Windows update? (Score:2)
Re:Not possible. (Score:2)
My xp laptop updates fine and I never go to the windows update page, I leave it up to XPs automatic update in the SP2 "security center".
Updates are necessary, Windows Update is not (Score:3, Informative)
I can't remember the last time I used Windows Update. Automatic Updates does most of what I used WU for, even more easily. If I want other updates, Windiz Update [windizupdate.com] is very similar, but works in non-IE browsers.
Doesn't help (Score:3, Informative)
In other words, the "fix" is to use your browser in 1995 mode.
Why are IE security flaws even reported anymore? (Score:2)
because (Score:5, Insightful)
its the time period that sometimes makes it more panicky.
Slashthink. (Score:4, Informative)
Repeating themes on slashdot (Score:2, Interesting)
Why do stories like this even make it to Slashdot anymore?
Why do they mod you flaimbait? This is a good question.
Get the facts! (Score:2)
The Internet Explorer is a not so secret remote admin tool! (aka backdoor)
Re:Why are IE security flaws even reported anymore (Score:3, Interesting)
Re:Why are IE security flaws even reported anymore (Score:2)
Do what now? (Score:5, Funny)
So this article updates us to the fact that they plan to update us with an article prior to the update?
Could be worst... (Score:5, Funny)
How does this fare with previous statements? (Score:3, Insightful)
With security being #1 in IE7, and numerous IE7 articles published by both microsoft and non-microsoft advocates praising the security and reliability of the new MS Browser, can we conclude that even with their upcoming browser media hype is still the best feature?
Personally, I understand if people don't want to use Firefox, it isn't the best browser either, no browser is the best across the board. I don't, however, understand why people want to continue to use Internet Explorer. It has been proven time and time again to be buggy, and patches take weeks longer than in most other browsers.
Not being a hardcore developer myself, I don't know what causes this, but might this have been avoided if Microsoft adhered to the Javascript standards rather than "tweaking it" for IE?
Re:How does this fare with previous statements? (Score:4, Insightful)
Re:How does this fare with previous statements? (Score:2)
Management are responsible for ensuring that policies, procedures and resources are in place for finding and fixing bugs in an expedient manner (and ensuring that the most significant ones are fixed first), but it's the developers who put them there in the first place. As a developer I know I've created plenty, as a manager I know how hard it is to handle them propely.
NB: I'm referring specifically to bugs here, i.e. where
Re:How does this fare with previous statements? (Score:5, Insightful)
Re:How does this fare with previous statements? (Score:2)
Changing is hard. Even if everything stays the same. People don't change from IE because they are used to it, and they don't know what will happen when they get the new bronwser.
The fact that nothing important happens, that the new browser has all IE capabilities, and nothing will change (unless less spyware and virus) is irrelevant because people don't know it.
Proof of concept (Score:5, Funny)
Re:Proof of concept (Score:2)
Wait. So now instead of <input type crash> [theinquirer.net], they make you add 16 characters in between? They obviously have no concept of usability. Remember, Microsoft, less typing for the user is GOOD.
Re:Proof of concept (Score:2, Funny)
Someone translate this for me: (Score:2, Funny)
Come again?
Re:Someone translate this for me: (Score:3)
Re:Someone translate this for me: (Score:2)
Re:Someone translate this for me: (Score:2)
got it backwards (Score:3, Funny)
Use it for good not evil (Score:3, Funny)
createTextRange(-1);
And just let the exploit install firefox. It's just that easy.
Re:Use it for good not evil (Score:2)
Yes sir, Windows is much more secure than Linux in the area of Internet Explorer arbitrary code execution vulnerabilities!
Re:Use it for good not evil (Score:2)
divorce (Score:2, Funny)
maybe, but i still recommend divorcing windows entirely. i've loved computers before (not sexually
Dupe! (Score:3, Funny)
Re:Dupe! (Score:4, Informative)
But, good catch!
I am... (Score:4, Funny)
IE 7 in Vista would have been safe (Score:5, Insightful)
Essentially all actions that require higher privileges, such as writing to non-temp locations on the file system, executing applications, installing plugins, changing settings, etc, will be done through the use of a broker.
The broker is very small, perhaps only a few thousand lines of code. This makes auditing the broker far easier than auditing the hundreds of thousands of lines in IE 7.
When IE 7 wants to save a file to the user's desktop, for instance, it must first "ask" the broker if it can do this. The broker is written in such a way that all actions require the user to confirm this is OK via a dialog box. If the user says it's OK the broker completes the action on behalf of IE 7.
If IE 7 has a buffer overflow or exploit of some kind and tries to do something nasty it will always fail because it is running as a user with basically no privileges on the system.
There is a video that describes this in detail on Microsoft's Channel 9 [msdn.com] web site.
Re:IE 7 in Vista would have been safe (Score:4, Funny)
Re:IE 7 in Vista would have been safe (Score:4, Insightful)
Besides which, the security model in NT-based systems is much richer than that in Linux-based systems. Unfortunately a few poor design/marketing decisions and a generation of sloppy coders too used to 9x-based systems has gone a long way to obviate that advantage, as far too many people simply run with administrative privileges.
That said, the clueless will always be a danger to themselves, whatever system they run.
Re:IE 7 in Vista would have been safe (Score:3, Interesting)
I beg to differ, unless you qualify that with default. Even then, there is little difference in capability in actual practice, as you pointed out. The security model in Linux has almost always been as rich as you want it to be. Process and role based access control has been available and used in Linux for several years in systems where that level of control is desirable, and has even crept into default installations o
Re:IE 7 in Vista would have been safe (Score:2)
In linux, assuming no local vulnerabilities you are mostly in the same
Re:IE 7 in Vista would have been safe (Score:2)
This is very little security.
A lot of users have no idea what any of it means, and are easily tricked. And Windows has so many prompts that even many sophisticated users begin to answer yes without paying atte
Re:IE 7 in Vista would have been safe (Score:2)
The dialogs they will see are EXACTLY the same as they see now. They will have no idea it's a "broker". IE will act more or less just like it does now.
Of course, if you watched the video, you would know that.
Re:IE 7 in Vista would have been safe (Score:3, Insightful)
Sure, Microsoft probably has a convincing sounding explanation for why this time, their system will be secure. But they had a convincing sounding explanation many times in the past, and it never made a damn bit o
Re:IE 7 in Vista would have been safe (Score:2)
But what I'm saying is that the basic design of this is more secure than not only previously version of IE, but all browsers for all operating systems.
It makes sense to treat browsers a little differently than most applications since they are often the primary attack vector for most users.
Re:IE 7 in Vista sounds irritating (Score:3, Insightful)
Wait, so I right click an image, choose "save to desktop", and then a dialog will come up asking me if I "really want to" do that?
You know, my usual response to dialog boxes like that is something along the li
Re:IE 7 in Vista would have been safe (Score:2)
The user can't, in nearly every instance, tell the difference.
MS Claims Latest IE 7 Beta is not Susceptible (Score:3, Informative)
Per the same blog, the 20 March release of IE7 Beta is not vulnerable.
Caveat emptor... I haven't tested it.
The 1st IE7 worm after the 'divorce' from windows (Score:5, Funny)
But they spend 20 billion on making windows secure (Score:3, Insightful)
Didn't we just have an article about MS wanting to go after Big Blue's business in the serious computer market? That they had spend 20 billion dollars on getting Windows ready to compete with the big boys and that IBM better look out?
Some MS fan boys of course swallowed that line hook, line and sinker. The same line MS has spun since it began business. "The next version will be lots better then what our competitor offers so please buy our [inferior] product now, we promise to ship the next version on time and as promised. Honestly. Have we ever lied to you before, or failed to meet a deadline, or failed to live up to our own hype?".
So the question by the poster of how this will affect MS in the market.
Not at all.
Simple as that. MS can keep producing crap and the public will continue to lap it up. I don't even care for the reasons and excuses anymore. They start to sound more and more like what you get at an Alcoholic Anonymous meeting or a session for battered wives.
As a LAMP developer I was recently offered a position with the opportunity to grow into .NET development. Gee thanks. What is the bonus package like? Kick in the nuts?
For those wondering what IE 7 and Vista will be really be like. More of the same old crap just a lot more useless crap that nobody really uses but that adds a lot of bloat that makes it impossible to debug. IF IE 1 - 6 have been buggy security holes and IE 7 has so far had the exact same bugs and security holes as 6 then it is obvious that MS hasn't really done anything with that supposed security audit of theirs.
First WMF now this. Vista is just another re-release of the same crap code that MS has been logging around since Billy boy first stole his basic interpreter.
Business as usuall. No doubt they will make a fat profit on it.
Re: Highly Critical Hole Found in IE (Score:2)
<IE>
Comment removed (Score:4, Funny)
Highly Critical (Score:3, Funny)
not as bad is it sounds (Score:2, Informative)
*******
I can't find any info on this delicious IE bug, but it seems to be publicly known:
r=document.getElementById("c");
a=r.createTextRange();
It will badly access a (virtual?) pointer table, making EIP to jump at a random address. This has various effects on the system I've tested
Re:not as bad is it sounds (Score:3, Informative)
Re:GAH (Score:5, Insightful)
Re:GAH (Score:2)
Some people believe that an ounce of prevention is worth a pound of cure.
The exception is for companies that profit off of 32ounce cures.
Re:GAH (Score:2, Insightful)
Re:GAH (Score:2)
Re:GAH (Score:2)
True, but atleast it allows one to take precautions. In this case, instead of being the oblivious IE user, the user can atleast turn Active Scripts off to avoid any unforeseeable danger.
Wrong Analogy (Score:2)
Wrong analogy. By hiding the exploit and announcement, it is more akin to denying that the illness exists at all and therefore they will be safer. It is bogus and backwards logic that ignorance is the best course of action. Warning people about the exploit is giving them a chance to don the "level 4 contamination suit" instead of continuing to play with fire.
Re:GAH (Score:2)
Re:GAH (Score:2)
Besides, just because someone doesn't publish the exploit, doesn't mean there aren't people out there who are using it.
Re:There's an IE 7? (Score:2)
Re:Good week for MS (Score:3, Informative)
Re:Wait a minute... (Score:2)
And you people bitch about slashdot being ugly, broken, and slow.
Re:It's funny (Score:2)
The difference is that if Sun were DDosed every couple of weeks on millions of PCs for almost 10 years because of putting something as stupid as "Active Scripting" or ActiveX into a product that is coupled tightly with the operating system (no, it appears as the decoupled version even helped this one), then we would be blaming the software company as well.
So
Re:It's funny (Score:3, Interesting)
Easy formula (Score:2, Interesting)
GoDaddy == Good.
GoDaddy * Microsoft == Evil
In the same vein (but totally against any mathematical logic), any company (including evil ones) that are associated with Open Source and/or Linux automatically become good.
Oracle
Re:Easy formula (Score:2, Informative)
Obviously OOS and Linux are and absolute value functions.
Oracle == Evil
Linux(Oracle) == Good
China == Evil
OSS(China) == Good
Re:Easy formula (Score:2)
SCO == Good (well, they were once)
SCO * Linux == Evil
Re:Easy formula (Score:2)
Young man, I tell you now that you simply have not seen, enough mathematics.
Re:Easy formula (Score:2)
Microsoft * OSS is
A) == Undefined
B) == Infinitely +Good/-Bad
D) == Neutral
C) == A 13+ dimensional value.
E) == Cowboy Neal's day job.
Which is it?
Answer: B (infinitely evil) (Score:2)
Re:Easy formula (Score:2)
Wait a few weeks to submit that poll, the current one isn't old enough yet
Re:It's funny (Score:5, Insightful)
Here's the difference: In Sun's case, the hackers didn't alert Sun to the vulnerability. They just DOS'd a free service that Sun provided the world, causing headaches for people attempting to use the service. Their actions accomplished absolutely nothing (the grid was not affected), and resulted in Sun pulling a previously free product behind a security wall for which people are required to subscribe. Good going!
In this case, a researcher discovered a flaw in the browser, and instead of being an a$%hat by writing yet another worm or malicious program, alerted Microsoft to the bug. Which is now in the process of being patched.
DDOS is a vulnerability? (Score:5, Insightful)
If DDOS is a vulnerability, it's one that all systems share, and thus, we'd have to be extremely jaded and cynical for blaming Sun for getting hit with one.
It doesn't help that the existance of vulnerabilities in Microsoft's products is probably the reason it was so easy to attack Sun.
Re:It's funny (Score:2, Funny)
Re:In other news... (Score:3, Insightful)
This is most likely the latest instance of the deep design flaw that the Microsoft HTML control has had since 1997, a flaw that no other browser (open source or commercial) suffers from, a flaw that Microsoft is going to have to break every application that uses the HTML control for anything but simple HTML display to fix... but which they absolutely have to do.
Compared to sendmail... this would be like Allman "fixing" the backdoor that the Internet Worm used by changing the password from "WIZARD" to