Forgot your password?
typodupeerror
Worms Internet Explorer Security The Internet

Latest Version of MyDoom Exploits New IE Flaw 435

Posted by michael
from the zero-day-wormz dept.
techentin writes " CNN Money is reporting a new and improved MyDoom variant which is spread by a hyperlink in email. Clicking the link connects the user to an infected machine, which exploits a recently discovered buffer overflow in Internet Explorer. McAfee has a more detailed description. Is this yet another good reason for running Firefox?" CNET also has a story.
This discussion has been archived. No new comments can be posted.

Latest Version of MyDoom Exploits New IE Flaw

Comments Filter:
  • by Anonymous Coward on Tuesday November 09, 2004 @06:52PM (#10770776)
    Give Firefox [mozilla.org] such a big present for their 1.0 release.
  • CNN Story (Score:5, Insightful)

    by AKAImBatman (238306) * <akaimbatman@gmai[ ]om ['l.c' in gap]> on Tuesday November 09, 2004 @06:52PM (#10770778) Homepage Journal
    It's pretty neat how far FireFox is beginning to spread. CNN carried this story on TV just a half-hour ago. They mentioned that FireFox was becoming the most popular alternative to IE. My coworkers (who's job includes watching CNN) came by and asked me why this FireFox thing is better. I told them about tabbed browsing, popup blocking, lack of security issues, and other niceties.

    One of the coworkers downloaded FireFox right away. I actually expected him to take a little while to wean off of IE. After I showed him FireFox's features, however, he set FireFox to his default browser and deleted his IE shortcuts! I think we're definitely making headway. :-)
    • Re:CNN Story (Score:5, Insightful)

      by scribblej (195445) on Tuesday November 09, 2004 @07:00PM (#10770884)
      "Lack of security issues?"

      Okay, I'll grant you that FireFox is probably more secure than IE. But to say it lacks security issues is going a little further than I'd go, myself. In fact, I'd be willing to bet you $10 that it has security issues of it's own.

      Don't sell your friend a dream. Set his expectations realistically. No software is bulletproof. No software lacks security issues.

      Firefox f-ing rocks, no doubt about it. It blows IE out of the water. It probably has far fewer security holes. But to say it "lacks security issues" is naieve.

      Don't believe everything you read on slashdot. A lot of these people have an agenda to meet.

      • Re:CNN Story (Score:5, Interesting)

        by AKAImBatman (238306) * <akaimbatman@gmai[ ]om ['l.c' in gap]> on Tuesday November 09, 2004 @07:08PM (#10770980) Homepage Journal
        I believe I put it as, "lack of security issues like the one pointed out by CNN" as well as "It helps protect against Spyware". It's true that FireFox is not invulnerable (e.g. the download bug), but it's nearly there for most users.

        Remember how FireFox handled the download bug? Old copies of the browser would actually be redirected to an auto-update site. Click a button, wait for a few kb download, and voíla! A secure browser. :-)

      • Don't sell your friend a dream. Set his expectations realistically. No software is bulletproof. No software lacks security issues.


        Hmmm.... I can think of one:

        how about:

        #include

        int main(){
        printf("Hello World!\n");
        }

        I dare you to find a security hole or other issue in that one! Probably better to say "it is unlikely that any nontrivial software will be without security holes or considerations."

        I run Qmail, and it certainly has its security considerations (no holes though). Security issues with Qmai
        • The compiler automagically builds in the vulnerability. They all do that nowadays.
        • by DrSkwid (118965)
          you're trusting your include to provide the expected behaviour from printf

          you're trusting your compiler and linker to provide you with the expected behaviour from compiling and linking your source code

          you're trusting the kernel to not modify the behaviour of the syscalls required to print

          you're trusting the CPU to execute the instructions you think it executes

          Reflections on Trusting Trust [bell-labs.com]

          Ken Thompson
          • by Anonymous Coward
            All of your examples hold absolutely no water. They are all examples of exploits at a different level than the software. Obviously if you install software on an already-compromised environment, you cannot blame the software for problems down the road.

            We are -ASSUMING-, when evaulating code for security-conscious methodology, that the environment functions as advertised.

            Your examples are very nice for theoretical discussions, but some of us don't live in the classroom, we live in reality, where software re
        • You would be surprised. Let's expand upon your program a bit.

          (pseudocode)

          program "evil":
          main(){
          close STDERR;
          exec passwd;
          }

          program "passwd" running setuid
          main(){
          open > /etc/passwd
          print STDERR "Password: "
          }

          Oops. The password file just got deleted. Security is hard :)

          (The reason? File descriptor STDERR is usually #2. However, fd #2 is closed and replaced with /etc/passwd, unknown to the passwd program.)
        • by YOU LIKEWISE FAIL IT (651184) on Tuesday November 09, 2004 @07:54PM (#10771486) Homepage Journal
          #include <stdio.h>

          int main(){
          printf("Hello World!\n");
          }

          While your assumptions are most likely correct, complacency is the friend of the buffer overflow. Depending on your implementation of the clib, printf, usually considered safe, could possibly be a problem - particularly as it ends up using the locale system and the user settable LC_NUMERIC to determine how to represent numbers, radix, etc.

          My favourite printf gotcha however is the seldom used %n conversion character - unlike it's brethren, this one writes data to the pointer in the argument list ( the number of characters printed so far ). This can be used to scribble over various pointers in the arg list and is why you should never, ever allow users to provide format strings to the program without vetting them first.

          YLFI
        • OK:

          It doesn't return a value from main() which may cause a compiler to do funky things with the stack.

          Even worse argc and argv are not passed correctly so the function will be called with more parameters than it accepts.

          There's no attempt to determine the status of stdout - if redirected to an offline printer this software would crash.

          The users locale settings are not taken into account. ..neither are the language settings. This is unacceptable in modern software.

          The user friendlines of this software
      • Re:CNN Story (Score:5, Insightful)

        by That's Unpossible! (722232) * on Tuesday November 09, 2004 @07:27PM (#10771164)
        As a fellow grammar Nazi, let me explain that the person you're responding to meant Firefox lacks security issues COMPARED TO INTERNET EXPLORER.

        It's like saying a program lacks features. Obviously you don't mean it has no features -- just that it lacks features, WHEN COMPARED TO ANOTHER PRODUCT.

      • Speaking of security issues, the release of today have these fixes:

        http://www.squarefree.com/burningedge/releases/1 .0 .html

        Yes, 9 potential security holes fixed, and I doubt it was all. In any case, you're recommended to upgrade ASAP for these reasons alone.
      • Re:CNN Story (Score:5, Informative)

        by Frogbert (589961) <`frogbert' `at' `gmail.com'> on Tuesday November 09, 2004 @08:15PM (#10771782)
        For me personaly the security issues with Firefox have always seemed a lot less dangerious then with those of Internet Explorer. What especialy annoys me about Internet Explorer is its constant ability to be infected with various toolbars and browser hijackers and dialers. These things are automaticaly installed in a lot of cases and, correct me if i'm wrong, firefox doesn't have vunerabilies to the same extent that are as wide spread.

        I don't typicaly get these things installed unless it is an automaticaly installing problem however my friends and family all had problems with Internet Explorer getting bogged down with this crap. I know once I install firefox I'll have a lot less crap to clean up when I next fix their computers.
      • Re:CNN Story (Score:4, Insightful)

        by LuxFX (220822) on Tuesday November 09, 2004 @09:38PM (#10772604) Homepage Journal
        Firefox f-ing rocks, no doubt about it. It blows IE out of the water. It probably has far fewer security holes. But to say it "lacks security issues" is naieve.

        The last security bug I remember hearing about in Firefox had a working patch to fix the problem very quickly. In fact, it was released by about the time I had finished reading the alert in the first place. Microsoft, on the other hand, takes considerably longer.

        It's one thing to admit there are security vulnerabilities in Firefox. There have been, and there will continue to be vulnerabilities discovered in Firefox. But as long as the Firefox community fixes these vulnerabilities as quickly as they have in the past, I don't think it's fair to say that Firefox has security issues.

        Microsoft, of course, has both security vulnerabilities and security issues. It becomes an issue when the vulnerabilities aren't dealt with quickly enough.

        Semantics, I know.... But there is a crucial difference.
      • Re:CNN Story (Score:3, Interesting)

        by gunnk (463227)
        It's true that any piece of software can have security issues, but IE will ALWAYS be the most dangerous browser you can run for one simple reason:

        It is also your file system browser.

        Integrating a web browser (i.e. the program that messes around with places of questionable authenticity) with your file system browser (the program that connects with your most sensitive files) is just insane from a security point of view.
    • by w1r3sp33d (593084) on Tuesday November 09, 2004 @07:00PM (#10770887)
      Now show him http://slackware.com/ [slackware.com] and he shall become more powerful than you can possibly imagine.
    • Heh, I do people a favour, and download Firefox/Mozilla for them. :P Most of the time they're not mad.
    • by mind21_98 (18647)
      It's not the most popular browser till mozilla.org gets Slashdotted! :)
    • I hope you meant your coworker deleted the desktop and menu shortcuts to Internet Explorer. Not that he deleted the shortcuts in the Favorites menu.

      Firefox converts your Microsoft® Internet Explorer favorites for you [bathspa.ac.uk].
    • Lately, I haven't even had to *try* in order to spread alternative browsers. I don't go to them - they come to me!

      I get calls on a regular basis from different friends and family members. The problem is almost always the same: their computer has become so bogged down with spyware and malware that it's nearly useless.

      Their computers are so gummed up, they practically beg me to install a different browser! And I don't know of any of them that have gone back to IE since.

      Honestly, I get so many reques

  • LIES (Score:3, Funny)

    by Anonymous Coward on Tuesday November 09, 2004 @06:53PM (#10770790)
    A bug in IE? I won't believe it till I see i--
  • by simdude585 (782096) on Tuesday November 09, 2004 @06:53PM (#10770791) Homepage
    Microsoft today announced that it was going to leave IE users to fix their own patches...
  • by t_allardyce (48447) on Tuesday November 09, 2004 @06:54PM (#10770799) Journal
    Can they start teaching in school that using IE is like having un-protected sex with 15 donkeys? or would Microsoft complain?
  • Wow! (Score:5, Funny)

    by mindaktiviti (630001) on Tuesday November 09, 2004 @06:54PM (#10770802)
    People still use IE?
  • big deal (Score:5, Funny)

    by Anonymous Coward on Tuesday November 09, 2004 @06:54PM (#10770805)
    ok so they accidently leave one bug in their browser and everybody jumps all over them. big deal!
  • by eqkivaro (721746) on Tuesday November 09, 2004 @06:54PM (#10770809)

    users could pull their heads out of their asses and stop clicking on links in SPAM.

  • by SlayerofGods (682938) on Tuesday November 09, 2004 @06:55PM (#10770819)
    How do we know the link to the story isn't just a trick to get us infected?
  • Good timing (Score:2, Funny)

    by Anonymous Coward
    A patch has just been released:

    http://www.mozilla.org/products/firefox/ [mozilla.org]
  • by jbrelie (322599) on Tuesday November 09, 2004 @06:56PM (#10770824)
    Let's not be hasty. True, I love Firefox, but IE is a giant honey pot out there for malicious attackers. If too many people switch, they'll start targeting Firefox. As much as I hate to admit it, they WILL find flaws to target.
    • You mean like... (Score:2, Insightful)

      by Anonymous Coward
      You mean like how Apache is #1 for vulnerabilities because it's the most popular web server?
    • Yes they will always find flaws, but IE is like shooting fish in a barrel.
    • Bring it on. I hope they do, and then we'll patch them. Then FF 1.1 will be even better than FF 1.0.
    • But I'd bet that the time it would take for the Firefox team to get a fix out would be measured in days, not months...
    • they WILL find flaws to target

      Sure, but will those flaws in Firefox as serious as the flaws in IE?

      It seems like when Microsoft attempted to integrate IE with the OS, IE was allowed access the OS in some very dangerous ways.

      For instance, why would earlier versions of IE write files to any directory without asking the User for permission?
    • There are a few design flaws in IE that make it a uniquely dangerous program to use to access the internet. These mistakes have, as yet, not been made by the Mozilla team. Perhaps we have learned a few things...

      The largest problem (mostly the cause of spyware rather than viruses though) is the issue of ActiveX scripting. Because ActiveX controls are trusted on the basis of vendor signature, and because someone can force an old version to be downloaded and installed, it means that no security patch can protect you against a malicious site scripting against a bug in an ActiveX control signed by a trusted vendor. No security patch can be writte to do this without breaking *every* ActiveX control in the internet.

      The second issue is that of security zones. This allows an attacker to exploit any flaws that come with the enforcement of such zones. This is an issue for viruses and spyware alike.

      Now, it is possible that a new as yet unimagined sort of attack will eventually be possible against some type of functionality in Mozilla. At least one type has (XUL files spoofing interfaces), but if these become a problem, it is open source, and so you or anyone else can pay for somone to make a version with a different structure. If enough people switch, the process begins over again. But each time, I think we are safer.
      • by steve_l (109732) on Tuesday November 09, 2004 @08:16PM (#10771797) Homepage
        IE is embedded everywhere in Windows, even when you bring up an HTML dialog box. Add/Remove Programs? DHTML. System Restore? DHTML.

        Windows Update? Active-fucking-X. So unless you move http://*.microsoft.com/ into trusted zone (ramped up to medium security), you cannot get security updates without enabling ActiveX download and scripting.

        Even in WinXPSP2, there is still that trusted zone that gives unlimited rights. Like download unsigned activeX controls without prompting. There is nobody I'd give that right to, not even myself. Yet they have it.

        Plus all the MSN content pushes AX at you. At least Expedia are not that daft; you can shop there with Firefox. But check out a pure MS site
        like the channel9 developer site [msdn.com]; ActiveX, windows everywhere. No attempt made to evangelise to the rest of us :)
    • Homogeneity is a good word.

      Having a 50%/50% split in popularity among browsers will reduce attacks simply because exploiters get less benefit and have to do more work. If we can get that to 25%/25%/25%/25%, then exploiters will move on to some more attractive target, and simultaneously, each of the four browsers will focus much more on standards compliance.

  • by jtsoong (307257) on Tuesday November 09, 2004 @06:56PM (#10770826) Homepage
    After seeing this posted i checked my pattern files on the mail server.

    Happy to see that ClamAV had the pattern files through a cron job 5+hours ago.
  • Good to hear. Just gives more people another reason to switch to the newly released firefox 1.0 browser! Hopefully the nytimes ad will be placed within the next 2 weeks and the world will be a better place.
    • Hopefully the nytimes ad will be placed within the next 2 weeks and the world will be a better place.

      Two weeks draws the Firefox add fully into the vortex of the Christmas shopping season. Every upscale retailer in the northeast is competing for prime space in the NY Times. They get the white meat, the Moz Foundation, the gristle.

  • by dwgranth (578126) on Tuesday November 09, 2004 @06:57PM (#10770840) Journal
    here at our company, we were hit w/ this virus a few days ago.. of course since IE is our standard browser.. well you get the picture.. anyway, the virus uses a few vulns.. one is the link spoofer and the spoofed link (in an email from the infected box which pulls any email addy it can to trick you) is a link to the infected box.. which then uses the noted vulnerabilty and the process repeats... so basically
    • So how does it jump domains? Since each link points back to the infected box, I presume it has to be on the "open" internet to be really effective, otherwise, it should be limited to the local network only -- presuming you block any inbound requests to the infected box (what port are they on?)
      • by tacokill (531275)
        ...and oh yea, SP2 isn't vulnerable. (because of the firewall)

        • Re:sp2 (Score:3, Interesting)

          by jerw134 (409531)
          SP2 is not vulnerable, you're correct. But it's not because of the firewall. This problem just doesn't exist in SP2.
  • If only (Score:5, Funny)

    by fluxrad (125130) on Tuesday November 09, 2004 @06:58PM (#10770859) Homepage
    Man, if only there were some browser we could use instead of IE...

    Oh well.
  • SP2 (Score:5, Informative)

    by Anonymous Coward on Tuesday November 09, 2004 @06:59PM (#10770868)
    SP2 not vulnerable... Upgrade or perish.
  • by GQuon (643387) on Tuesday November 09, 2004 @06:59PM (#10770873) Journal
    This isn't about this particular worm, but recently made it though my spam filters and IDS:
    ----
    Re: my bill
    From: [from address, probably spoofed]
    To: [My adress]

    Requested file.

    +++ Attachment: No Virus found
    +++ [Name of antivirus software] - [website of antivirus software]

    bill.zip
    -----
    The zip contained a pif file with a .rtf ending.

    Particularly scary social engineering, since it claims to be from an anti-virus company that I'm actually familiar with.
    • The fake scan information was used in W32/Netsky.o, W32/Mydoom.y and W32/Buchon.gen also, but not with the same combination of body and subject.
      So this may be a new strain of virus.
      I've sent the sample to a virus company.
  • by Anonymous Coward on Tuesday November 09, 2004 @07:00PM (#10770881)
    A seemingly infinite number of flaws in a finite piece of code, this is quite an achievement.
  • I've been running Linux on my main desktop for years, and recently I've really been considering switching to Windows. After all, it's got some cool apps, and while I wouldn't call it "feature complete", I say they've done a good job of implementing many of the best features of Linux and OSX. However it's articles like this that convince me it's still a bit early to switch to Windows.

    All told they've made some real inroads in servers, and the desktop experience is improving with each release (the current unstable branch -- AKA "XP" -- has implemented the theme concept long popular in KDE and Gnome!) however I think it's still premature to declare Windows ready for prime time on the desktop.

  • by simetra (155655) on Tuesday November 09, 2004 @07:07PM (#10770971) Homepage Journal
    the little image for this "worms" topic isn't a worm, it's a catipillar (sp?)... or a larvae of some sort. How about a real worm image?


  • Impressive... (Score:3, Insightful)

    by Alwin Henseler (640539) on Tuesday November 09, 2004 @07:09PM (#10770984) Homepage
    That someone managed to find yet another flaw in IE. You'd think that after the number of bugs found in IE so far, it would be about 100% bug-free by now. But duhhh... I guess that's too optimistic.

    Beware of bugs in the above code; I have only proved it correct, not tried it. -Donald E. Knuth [stanford.edu]

  • by lseltzer (311306) on Tuesday November 09, 2004 @07:11PM (#10771011)
    >>Is this yet another good reason for running Firefox?

    Or Windows XP SP2, which is not vulnerable.

    What kind of imbecil runs XP but not SP2?
    • Now now,actually knowing how to use Windows is punishable by death on Slashdot. It amazes me how many people don't consider recompiling a kernel a nuisance, and these same people won't be bothered to actually read the documentation that comes with Windows 2k/xp/2003. Yeah. If you've been keeping up with patches this is a non-issue.
    • What kind of imbecil runs XP but not SP2?

      Maybe someone who read this [slashdot.org] article and doesn't want to take the chance with their main machine.
    • Or Windows XP SP2, which is not vulnerable.
      What kind of imbecil runs XP but not SP2?


      What's easier to change, Windows 2000 => XP SP2 or IE => Firefox?
      For a corporate evironment (where, in many cases, most still run Windows 2000), I think I know which.
    • I'm not running SP2. Too many applications started acting bizarre after install it.

      However, as I don't use IE as my primary browser and SP1 will be support by Microsoft for some time I don't feel compelled to upgrade to SP2.
    • What kind of imbecil runs XP but not SP2?

      I do, why upgrade? XP SP2 is slower, has even more annoying widgets, and there is a considerable risk that my computer won't boot anymore if I install it. I think the big question is what kind of imbecil still runs IE, even if they have XP SP2?
  • by Swamii (594522) on Tuesday November 09, 2004 @07:12PM (#10771014) Homepage
    Woopsie! Slashdot forgot to mention the fact that this vulnerability has no effect on XP machines patched with SP2. Way to go Slashdot!
  • by xutopia (469129) on Tuesday November 09, 2004 @07:12PM (#10771018) Homepage
    telling us to stop clicking on hyperlinks?
  • Microsoft should feel lucky that their crappy browser is being anal probed. by finding exploits like this they are forced to "improve" it. Improve might be a big word but imagine if there were exploits but no viruses/trojans/whatever, you would think that M$ would fix these exploited holes?
  • by hey (83763) on Tuesday November 09, 2004 @07:14PM (#10771037) Journal
    How can McAfee have a simple checkbox that turns on
    buffer overflow protection:
    http://vil.nai.com/vil/images/vse80i- bo-config.gif

    I mean if my program has a buffer and I want
    to overflow it have can they stop it. The screenshot mentions APIs so make it just knows about the Win32 APIs.
  • I mean, it's great they're running an ad in NYT and all, but everybody who I have installed Gecko-based browsers for also want a decent mail reader.

    Rather than going for the still-beta Thunderbird, why not just go the whole hog and install Mozilla proper? You get all of Firefox's features and considerably more.

    The only niche I can see Firefox/Win32 filling is for people who don't want to run IE, but for some reason don't want to run Mozilla Mail (which is rare at least in these parts).
  • McAfee VirusScan (Score:5, Interesting)

    by Vermyndax (126974) <<vermyndax> <at> <galaxycow.com>> on Tuesday November 09, 2004 @07:14PM (#10771044) Homepage
    The *real* ironic twist to the story is that newer versions of McAfee VirusScan that Dell has been shipping requires Internet Explorer to be installed... and uses it to run the control center windows.

    Now how's that for secure?

    I may never, ever figure out the mentality of that decision.
    • The *real* ironic twist to the story is that newer versions of McAfee VirusScan that Dell has been shipping requires Internet Explorer to be installed... and uses it to run the control center windows.

      I think I am missing something. Are you saying there are normally Windows versions of Dell machines that come without IE?

      Didn't think so.
    • Re:McAfee VirusScan (Score:4, Informative)

      by donnz (135658) on Tuesday November 09, 2004 @07:45PM (#10771333) Homepage Journal
      McAfee is a pox. It has the most useless update facility in the world that seems to rely on hopelessly long downloads of fixes to its own software (even if that particular program is disabled) rather than just updates to its virus databases. Oh, and it also murders the performance of any machine its loaded on. Grrr, McAfee, send your requests for references to me, please.

      Yes, I was recently forced back to the Windows world for one mind numbing week.
  • SP2 immunity (Score:5, Informative)

    by jaiyen (821972) on Tuesday November 09, 2004 @07:22PM (#10771111)
    For those who don't RTFA, XP SP2 doesn't appear to be vulnerable.
    "Users who have installed Windows XP Service Pack 2 are immune to the programs that use the vulnerability, including the two new variants of the MyDoom virus."
    • Re:SP2 immunity (Score:3, Insightful)

      by Jeff DeMaagd (2015)
      XP isn't the entire Windows world.

      IIRC, for every XP computer, there is one computer running Windows 2000 installation, and probably one running Win9x too. I wonder if this is the sooner updates is one feature Microsoft is trying to have to push people to upgrading.
    • Re:SP2 immunity (Score:4, Insightful)

      by bedessen (411686) on Wednesday November 10, 2004 @06:05AM (#10774945) Journal
      Just playing devil's advocate here, but if there was a security vulnerabilty in an open-source project which affected older versions of the software -- but not the current released/stable version -- then this would be a non-story. "Foo v1.25 has a vulnerability? Well it's the user's fault for not running v1.30 which fixed that bug." But it's Microsoft, so somehow all the laws of software are different....
  • Sheesh, so many Firefox zealots taking over this story... Firefox this, Firefox that...
    You moderators really need a tool to seperate the wheat from the chaff. The trolls from the instightfuls. You need my
    Super Dooper Slashdot Moderator Tool Extension Thingy for Firefox! [webeisteddfod.com]
    Take your moderation skills to the next level... today!

One small step for man, one giant stumble for mankind.

Working...