IE 7.0/8.0b Code Execution 0-Day Released 131
SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."
0-day (Score:5, Insightful)
A Disturbing Trend, But Not Unforeseen... (Score:5, Insightful)
The more complex the software releases become, the more complex and insidious the exploits of them become also.
Proof (Score:5, Insightful)
Re:Amazing (Score:5, Insightful)
http://it.slashdot.org/comments.pl?sid=555236&op=Reply&threshold=1&commentsort=0&mode=nested&pid=23432544 [slashdot.org]
Why you would want that printed out on a piece of paper is beyond me. It might possibly somewhat work on a PDF printer, but even then, it's use is limited.
Re:Proof (Score:5, Insightful)
Look, for most people, the zone idea actually makes sense. Basically, don't trust ANY web site to do the tricksy stuff, but add (for example) your company's intranet to the safe zone, where it can do more desktop-ish stuff. I don't think that's such an awkward concept, and it spares people from having to think through what to allow, or not, on a site by site basis, as they surf. Most people are not this audience. And being able to enforce zone policies at the enterprise level makes a lot of sense, since average users are routinely shown to be spineless and witless: they'll add a poisonous Russian casino spam site to the safe list if that site pops up a tutorial on the steps the have to take to do so, if they want their free emoticon package.
Fiddly, granular systems only work for fiddly, granular people.
Re:Amazing (Score:3, Insightful)
Now for a real use? Well, maybe one. To save having to scribble them down, you could waste a couple reams of paper printing out, oh, maybe a dozen MS Sharepoint links to an overly-anal supervisor who demands that you include reference links in a printed report.
Re:Proof (Score:4, Insightful)
I'll tell you why: because it has to. You can't access local devices in the Internet Zone. That's the point. Granular approaches would allow you to print without accidentally giving other permissions to something that shouldn't have them.
At the enterprise level, with something like NoScript, you can just allow entire domains, say intranet.example.com or whatever your organization uses.
Next thing you're gonna tell me is that you think Microsoft should do away with ACLs at the individual file level or even the directory because users are just too stupid to figure that out. They should just have "file zones" and people will just have to stick their files in the right zone. Pffft.
Re:Irresponsible disclosure (Score:5, Insightful)
Re:Irresponsible disclosure (Score:4, Insightful)
Re:Proof (Score:4, Insightful)
You would also have every web developer in the marketplace whining about how IE ignores standards if they pulled the plug on scripting.
Sorry but Zoning in IE is fine. IE 7 is actually a pretty good modern browser and, sure, it isn't perfect but frankly what is?
Re:Irresponsible disclosure (Score:2, Insightful)
Yes, as always... blame the whistle blower not the manufacturer of the crap product.
Re:Proof (Score:5, Insightful)
The concept itself is okay, but the implementation could use a good, solid overhaul.
*feeds the troll* (Score:3, Insightful)
We *might* be blaming Aviv for telling the world, script kiddies and botnet operators alike, about this bug -before- even notifying the manufacturer of the crap product.
Nor did Aviv wait a reasonable time period for the manufacturer to admit their product's crap state and issue either A. a warning of their own (don't print links) or B. a fix, while providing full credit for discovering the bug to Aviv. Aviv could then still parade his bragging rights around, disclose the exact details, provide proof-of-concept and generally be admired for re-affirming the notion that the product is crap and telling the world in a responsible manner.
Yes, I know, in the time that Aviv would be waiting for the manufacturer to issue a warning / a fix, there could be *others* who also have figured out this vulnerability, and could be actively using it, perhaps on your computer right now! don't look! But given the odds of maybe a handful of people using this for targeted operations vs thousands of script kiddies at work, I'll take my chances with that handful of people in that time period.
Oh, and I consider 3 days to be sufficient a time period for any manufacturer to respond, so anybody who felt like showing how it sometimes takes a manufacturer YEARS before fixing things can just bugger off. I have nothing against disclosure if the manufacturer takes too long - forcing their hand may be the best thing. But having them caught off-guard and scrambling by flat-out announcing it to the world is far more irresponsible than the alternative.
imho.
Must we highlight every bug in IE? (Score:2, Insightful)
I appreciate the desire to raise awareness, but there's no practical benefit to running this story other than Windows bashing. It'll get patched, the patch will probably ship on some future Tuesday given this is a feature few people use and the risk of exploitation is relatively low, and that'll be that.
In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all, even though it's probably relevant to a lot of the Slashdot readership and there is real action they can take to fix things. Go figure...
Re:Proof (Score:5, Insightful)
Re:0-day (Score:2, Insightful)
The whole "day thing" is about the time between disclosure and patch/signature release. Disclosure starts the clock: Day-1. Day-0 is for talking about the day before disclosure.
Re:WTF is a "0-day" ? (Score:3, Insightful)
A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities.
So, it's a newly discovered exploit. Can't we use that phrase instead of the uber-lame "0-day"
Re:Proof (Score:3, Insightful)
Also, having developed desktop applications that used embedded IE, I can tell you the zones system is completely screwed-up. It changes in every version, the APIs are inconsistent across different Windows OS's, and there are crazy loopholes with magical URLs like res:, file:, about:. Then there's exceptions for files on the local hard drive, on the network, on mapped-drives. It's a total mess. All of it really just to support some stupid extensions to Javascript, VBScript, and Microsoft Office - that should never have been added in the first place.
Re:Proof (Score:4, Insightful)