IE Download.Ject Exploit Fixed

Saint Aardvark writes "Just in time for the weekend, the Internet Storm Center is reporting that Microsoft is providing a fix for the Download.Ject vulnerability that hit IE late last month. The press statement says that it'll hit Windows Update later today..."

Re:Got it, but..

[Anonymous Coward]

Sadly you are Slashbotting. Three of the five sites that I visit most frequently do NOT render correctly with Firefox. Each and everytime I visit Slashdot I have to refresh to get the leftbar to stop entroaching on the main story blurbs. Everytime I visit the other sites I must change font sizes. Each site I visit looks different than it was intended to look on IE and thus I cannot read some text and some text is so large that it is uncomfortable.

We won't even get into the fact that my online banking instantaneously loads on IE yet takes several /MINUTES/ to load in Firefox.

Re:That reminds me...

[WoodstockJeff]

I know your post was taken as FUNNY, but I lost several hours last week installing, then uninstalling, an "important security patch" that took down the my client's Exchange Server. Had it been done automatically, the server would have simply stopped working for unknown reasons, at some MS-selected random time...

I, for one, do NOT look forward to the coming mandatory auto-patching, but I suppose it is inevitable with Microsoft.

Re:NOT an actual fix

[Lehk228]

when you set high security you cannot even use windows update, and putting windows update into trusted sites does not work right

Why Ject?

[Anonymous Coward]

Why is it called Ject? Is the virus writer or the AV firm some kind of closet Final Fantasy X fan? Seriously? Why Ject?

Re:That reminds me...

[blindbat]

I was helping a fellow (via phone) repair his Windows installation that had a couple of viruses (at least), blaster and another worm. He even has the auto download of updates running so he thought he would be safe.

Problem: he is a dial up user and is never connected long enough at home to keep his system current.

So Windows will have to hi-jack the internet connection in order to get the downloads or half-knowlegdable users like this guy will still be victims.

Re:In Other News...

[chris_mahan]

I notice that MS releases a "fix" of some sort when DoHS says: use another browser.

Can somebody at DoHS recommend switching to another browser every day so MS will start working on the backlog of bugs?

Another question: Are there enough of those high-flying MS developers still working on the IE codebase to make the changes in a timely manner or is there an aging skeletton crew to fix the vulnerabilities, not too motivated since they were passed up for work on .NET?

I wonder.

Somebody probably lit the proverbial fire under their bums this morning.

(They know how hard it is to get people to switch browsers. It took a while (2 years) with Netscape, and NS Communicator was a POS). I guess they are at the edge of the cliff and realized there's nowhere but down.

Yippee!

[callipygian-showsyst]

Despite all our whining and moaning, (and the fact that this bug was the straw that broke the Camel's Back and I switched to mozilla and thunderbird [robert.to]) Microsoft did act pretty fast here. It was less than a week, wasn't it?

And, while it's unfortunate that many people don't (or can't) run Windows Update, it works well for people with fast connections who are behind firewalls so their systems don't get screwed up before they can patch them!

Re:MOD PARENT UP.

[Anonymous Coward]

The first poster made it seem like it will only protect against threats that MSFT knows about. This patch seems to prevent IE from writing/read to/from the disk via scripts.

Is this just coincidence?

[Anonymous Writer]

It was only mentioned two posts before this that CERT advised [slashdot.org] people to stay away from IE, even though CERT released that advisory on June 10 [cert.org], and it was even reported on BBC on June 14 [bbc.co.uk]. Now this story comes along mentioning the patch will be available later today? The CERT advisory could have been published on Slashdot nearly a month ago, but conveniently is published on the same day as the fix is released. Was it intentional to keep information about the CERT announcement off of Slashdot until the fix was released?

Re:FYI

[dasmegabyte]

You're making claims that are untrue and short sighted. I call FUD.

First, to release a patch to a commercial application used by millions of people is inherently troublesome. You've got to make sure you test it thoroughly...because unlike Open Source, the liability is on YOU if people can't get their work done. If there is a change to an existing setting that can defray the effect of the vulnerability and give you more time to test, it would be remiss of you not to inform customers of it. Would you rather they ask customers to wait a few days until the patch is thoroughly QA'd?

Second, I have never -- that means NOT EVER -- seen an IE fix that broke my machine worse than a virus would. The fix might cause problems with IE, but it wouldn't cause my machine to send spam email against my will. And the VAST majority of IE fixes have had no ill effects whatsoever. On the other hand, emerging the latest from gentoo causes something to break a substantial percentage of the time.

I do agree that IE isn't the best browser ever, but this doesn't excuse you from putting blame where it doesn't belong. If you're going to fault Microsoft for anything, fault them for not being up front about the patch process. They should let us know at every step of the way what the problem is, how to patch it for now, when a fix will be ready and how to defray such bugs from allowing exploits in the future. That's one cue from OSS they'd be smart to heed. All software is buggy. Pretending it's not is tantemount to pretending you aren't going to fix it.

Re:Got it, but..

[Anonym1ty]

aggressively IE-only sites

What? Like sites that do not function if they can't open a thousand windows? or can't force you to agree to download and install something without crashing the browser? (insert zillions of other annoying or dangerous exploits here)

If a site REQUIRES Internet Explorer perhaps you shouldn't go there. I mean now that the Department of Homeland Security is urging people not to use IE, Your bank better think real hard about requiring you to use it.

Re:NOT an actual fix

[Lieutenant_Dan]

Nope, XP and 2003 have windowsupdate.microsoft.com as a trusted site. Unless you remove it manually, no setting will affect that.

Mind you, that still leaves the door open for someone clever to put an entry in the HOSTS file and do some nifty DNS man-in-the-middle trick, sending the unaware user somewhere else and trusting that "fake" windowsupdate.microsoft.com .

Which is nice.

Re:I have a feeling

[imroy]

It's worse than that. MS only appears to care about big customers, typically large corporations, institutes, and government departments. i.e places that are behind a firewall and have (nominally) competent IT staff to keep the network running smoothly. Just look at the number of TCP/UDP ports they keep open. That sort of behaviour is ok on a safe intranet, but it's sheer negligence for home users connected directly to the internet. I'm constantly seeing incoming requests to the "windows networking" ports (137, 135, 445) on my ADSL connection. Those ports just should not be open to the wider internet. And lastly, witness the number of error dialog boxes in windows that simply advise the user to seek help from "the network administrator".

It's the big customers that MS cares about, not the home users. And we're all worse off when the latest round of worms clog up the internet.

Attack and solution known since Aug. 2003

[weld]

See Full Disclosure list for an attack that used same technique back in Aug. 2003:

FullDisclosure: ADODB.Stream object [seclists.org]

Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.

-weld

Re:IE Features

[KarmaMB84]

If a website requires ActiveX, you can add it to the trusted sites zone. You should probably move that slider up to medium if you have a lot of sites in there though. The internet zone can probably do with most of the dangerous stuff turned off using the customize button rather than going all the way to high.

Security and MS "Getting it"

[geomon]

Okay, everyone has had a great deal of fun at Microsoft's expense today with the stories of Dept of Homeland Security dumping IE, and Microsoft taking nearly a month to fix a BIG exploit in IE. But I wonder if Microsoft's problems are less a function of them 'getting it' as much as it is a case of them being a 'victim of their own success'. Follow along with me for a minute.

When MS started its rise to the top, they hired as many of the brightest minds as they could to make their software the best of class. While many of us probably find the corner-cutting a bit too much to take, it is possible to have both world-class software while meeting a marketing deadline. It happens, but less frequently than MS or its defenders/supporters would like to think it does (lightning striking the same point twice *without* a lightning rod).

They continued to compete heavily in the OS market despite the fact that they initially wanted to be nothing more than a computer language business. The OS was to be the cash cow that would allow them to be a more effective language business. But now they own the OS business and are driving their business model into other ventures (consoles, entertainment centers, telephones, automotive brainboxes, etc). They just follow the same formula that lead to their smashing success in moving into the OS and office app market: buy the best brains in the field and use their project management skills and VOILA!, they are the new masters of the [insert market segment].

But consider the sandbox their bright minds play in: a homogeneous computing environment with computer scientists guarding the facility from outside intrusion. As has been noted in another slashdot article [slashdot.org], Microsoft's products work wonderfully inside of Microsoft's campus.

They have extremely talented people working with the highest-end equipment in an environment where everything works nearly 100% of the time. Is it so surprising that they do not view the world the way we do?

After all, most of the companies that I have worked for are staffed with (largely) computer-illiterate people and whose firewall is maintained by a PFY with a high-school diploma.

Perhaps it would be better for Microsoft if they force their developers to create their products in environments that their customers use. In fact, maybe they should send their developers to test their products in the heterogeneous environments of their customers for a month or two.

Let them work the bugs out on their time for a change.

Re:Got it, but..

[Anonym1ty]

It's a university, isn't it? Why not ask them to have their computer students build another one?

Re:FYI

[Temporal]

Are you trying to suggest that web sites should not be allowed to contain scripts? Or that sandboxing code with different levels of trust is not a useful ability? Or what? Because either of those assertions is pretty dumb. Microsoft's problem is that their API's are a mess and security checks aren't always performed or performed correctly. There's too many places in the API where security checks need to be performed, so it's hard to test them all. If they had said from the start that any API component which wanted to access protected system components (the hard drive or whatever) had to go through some unified security module (rather than performing its own security checks then using OS-level API calls), it would have been a lot easier to prevent security problems. I'm guessing they weren't so organized, though. Point is, this is a case of bad implementation, not bad concept. It is certainly feasible to implement sandboxing (such as IE's "security zones") securely.

Re:Windows 9x and Windows ME users still vulnerabl

[prandal]

That isn't the point, surely? It would have been so easy to produce an executable which would have worked on 9x/ME too to set the registry key, and make it available to everybody via WindowsUpdate.

At the risk of repeating myself, Microsoft STILL hasn't got it.

Re:Got it, but..

[nick0909]

Up there in EN-62 that might work, but CM-99 being in litigous CA we probably couldn't build our own system, as it wouldn't pass all the privacy and other stupid regulations and certifications. Being a university doesn't mean they do things smart, it is still run by the State, which currently is being driven by the Govonator.

Someone tried to make a database as a Sr. project that needed some sort of info from the official enrolled student database, I forget exactly what but it wasn't even anything specific, just the number of students enrolled in each college or major, but they wouldn't release it because of privacy concerns. I stopped trying to figure out why they do things and just accept it as a government agency and change will take 20 years. This portal that was bought by the state for every CSU in the system (29 campuses) I have heard is the worst portal system there is on the market. But hey, we got it cheap!