Submitting a review for consideration is easy; please first read Slashdot's book review guidelines. Updated: 2008114 by samzenpus
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
server side scanning (Score:5, Insightful)
Why dont web hosts scan for hosted vulnerabilities? I imagine a nightly clamav scan by web hosts would make all the difference in cases like these where there is no patch yet but there is an web-based exploit. Heck, some users dont even patch, as was shown by Conficker, which was patched in October and spread like wildfire in January.
Re:server side scanning (Score:5, Informative)
You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?
If so, probably just a case of lazy and/or clueless administrators.
Parent
Re:server side scanning (Score:4, Insightful)
Parent
Re:server side scanning (Score:5, Insightful)
You have a good point, but are you sure web sites are actually legally entitled to inspect what people are paying them to put on their servers?
If you read the small print in the ToS you'll see they entitle themselves to doing anything they could imagine. Even if it was not in the ToS, adding it in there is trivial.
The reason they don't do it is one of pure economy. Integrating and running antivirus programs daily on a server is not free. It slows down the server (so they can pack less sites per server), it means license/support contracts (even if the basic software is free), means the staff spending time on integrating and supporting this feature.
At the same time, browser exploits are simply small static files that don't affect or abuse the server in question in any significant way. If they scan, it would be just to protect the site visitors, which are not a party that matters to web host providers. So, unless site owners decide they would rather take their business with a host who scans, the hosts have no interest to implement this.
Parent
Re:server side scanning (Score:4, Insightful)
How are web hosts going to handle dangerous files they find, if they start searching the users' stuff? That upload of the latest Conficker might not be malicious (user rents serverspace to host virus/trojan/worm research), the upload might be referenced in a database by the CMS (whoops, it's gone - does the user know how to fix the now-apparent bug in the CMS' filehandling?).
How does a virus scanner even know if the file is visible to the outside world? You have .htaccess files, scripts which may or may not display the files in an index (and it doesn't have to be anywhere near the same directory) and non-Apache/IIS systems which serve up content based on Python, Java or whatever.
Lots of issues with automated scanning/removal before you even start to consider the processing power to scan. Although that could be handled by having a reasonably beefy cluster of pure file servers which the web servers get their user directories from.
Parent
Re: (Score:3, Informative)
I agree that if there is a company that always has faulty products, that people would stop buying products from them. But nobody has stopped using windows (In this case the problem is IE, activex yada yada) because it generally works in most cases, for what people want it for.
I used to do tech support in a call center. The company I worked for made networking hardware, so the internet service that packaged our products the most, hired us to also do tech support for the customers with our products. Literally
Re: (Score:3, Informative)
I use the CLI in XP quite often, sometimes it's just a lot easier and faster and more versatile than the gui option.
And now there's Powershell for XP, that's the new and improved CLI if I'm not mistaken, haven't used it yet though.
Firefox 3.5? (Score:5, Funny)
Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.
Re: (Score:2)
"Firefox users can't be too complacent;"
Complacency is the mother of mothers.......
Re: (Score:3, Insightful)
Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.
That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.
Re:Firefox 3.5? (Score:5, Insightful)
That, and the fact that there are no exploits for the Firefox vulnerability in the wild. The two pieces of news are hardly comparable. Seriously, this is like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their vehicles can be broken into with a sledgehammer.
False analogy. Better analogy:
It's like reporting a string of car thefts exploiting a defect in Ford's keyless entry systems and ending the story by reminding Chevy drivers that their keyless entry sytem is also flawed but luckily since fewer people drive Chevy's (and Ford drivers are usually foolish enough to park their car in front of a big warehouse with a sign that says "Not a chop shop") no one's bothered to learn how to break in to a Chevy yet.
Parent
Re: (Score:2, Funny)
It's the same as the cool kid in highschool. Popularity also means more people will hate him, or exploit his keyless entry, or the bug in his active x controllers.
Re:Firefox 3.5? (Score:5, Insightful)
Wrong. The details are public and exploits could be happening in the wild. How do you know they're not?
From http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html [washingtonpost.com]
Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online.
Parent
Re: (Score:2)
Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.
Well, I guess I'm safe. At my workplace, my Redhat 9 installation is incapable of running any version newer than Firefox 2.0.0.20.
Redhat 9?? You're lucky...
[/mpython]
Re: (Score:2)
You're in luck!
Seeing as how its related to the font html tag, I bet its backwards compatible a few versions!
It's about time... (Score:2, Funny)
Re: (Score:3, Funny)
Yo dawg, I heard you liked ActiveX, so I put some Excel in your Excel so you could get exploited while you were getting exploited.
kill bits (Score:5, Informative)
A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection.
Well, Computer World (and CWmike in particular), perhaps more users would take advantage of the protection if you would provide them a link telling them how when you first mention it [microsoft.com] rather than wait until the end of the article where they may not associate it as being the aforementioned solution.
My solution for ActiveX (no, not installing Linux) (Score:5, Informative)
I use the IE security settings. Yes. It works. The only real problem with it, is that they are a bit convoluted for ActiveX. I had to slow down and think before I got what I wanted, which is essentially to have any web site that wants to run ActiveX prompt me, and then I can choose to accept (but virtually never do).
Notice to web developers: If your site requires ActiveX, and it's not an absolutely essential service from a company that I can yell at, I will go someplace else. IIRC, I have one online financial service that fits that category.
Otherwise, I DON'T NEED ACTIVEX. NOBODY REALLY DOES. ANYTHING WORTH DOING CAN BE DONE WITHOUT IT.
And yes, that's shouting. It needs to be shouted loud enough for these people to hear it. It needs to be shouted again, and again. ActiveX belongs with IE6. Actually, it should have been killed off many revs before that. It should have been shot down by somebody who countered the suggestion at the very first meeting where it was discussed. Maybe somebody had the flu that day.
Hear Hear, and let me add.... (Score:4, Interesting)
Hear hear on your ActiveX rant, and let me add "What you have said about ActiveX also applies to Javascript."
I see too many sites that will have almost every link be of the form <a href="#" onclick="follow_link(some_damn_link.html)"> - in other words the only way to follow the link is to use Javascript. This is just sloppy and stupid-lazy - such pages are usually machine generated, and there is NO REASON why the tool couldn't have filled in an appropriate href.
Yes, there are good uses for Javascript - but do we really want to be allowing J. Random Website to run code in a Turing-complete[*] language on every potential page load? I don't - and that is why I have NoScript installed, and no web site gets to run Javascript by default on MY browser - and since the Securina exploit against Firefox is Javascript based, that reduces (but does not eliminate) my exposure.
([*] - Javascript is as Turing complete as C/C++/Java or whatnot - the only thing that makes it NOT truly Turing-complete is the absence of infinite storage, just like C/C++/Java or whatnot).
Parent
Only 9 posts? (Score:5, Funny)
Active X again? (Score:4, Funny)
With the number of ActiveX related security issues you would have thought they would simply drop it or at least sandbox it?
Re:Active X again? (Score:4, Insightful)
I believe Microsoft thinks ActiveX is sandboxing.
Parent
Re: (Score:2)
My cat sandboxed it.
They have (Score:5, Informative)
If you go read the notice, you find out that Vista and Server 2008 aren't affected. Reason is that IE has a sandbox mode on those OSes (Windows 7 too) for things like that. However, it relies on changes to the OS so it hasn't been backported to XP and I don't know that it could be easily.
So yes, they have sandboxed ActiveX, but it applies to newer versions of Windows only.
Parent
Re: (Score:2)
Funny thing is, the Firefox 3.5 exploit doesn't work on Vista either according to our testing. Only works on Windows 2000 and XP. Good thing everyone's bashing Vista like it has no features of value and as if it's still broken like pre-SP1 when SP2 is out.
So your average Microsoft-hating fanboi who is running Firefox 3.5 because IE8 isn't cool enough, and who is running Vista because XP is "way better", is the one who is vulnerable to this Firefox exploit.
Re:They have (Score:4, Interesting)
Good thing everyone's bashing Vista like it has no features of value
No, we bashed it because it didn't have features of $200+ value.
Parent
Re:Active X again? (Score:5, Insightful)
What ActiveX needs is a pine box
Parent
Re: (Score:2)
Re: (Score:2)
Re:Active X again? (Score:4, Informative)
Whores only exist to lure married men from their wives, right? Kill 'em all, right? Just like ActiveX controls, whores have a purpose... not necessarily in line with their intended nature. What should we do with them?
I think I see the part you're missing that would explain to you why some (including me) think ActiveX is fundamentally flawed.
In terms of security, I think we can agree that the Internet including the Web is rightly regarded as a hostile network. We can also probably agree that good security is done in overlapping layers in order to minimize single points of failure. That's important for many reasons, not the least of which is that a glaring, single point of failure increases both the severity of exploits and the ease with which they may be carried out.
The problem with ActiveX is the lack of sandboxing. A control has the full privileges of the user running the browser. With XP machines that user tends to be an Administrator, compounding the problem. Trusting this environment to reliably and securely handle remote code on a hostile network is just begging for trouble. The idea is fundamentally flawed and tinkering with it may mitigate the problem but will not fix it. It needs to be abandoned and replaced.
Java is more suitable for this kind of task. That is, the needed sandboxing capabilities are an integral part of its design, which is not the case with the Windows DLL-type ActiveX controls. If you really want a Microsoft solution, Silverlight can run applications (both remotely and downloaded for local off-line use) and has its own sandbox. Even Flash apps are a better idea than ActiveX, which is saying something considering Flash's security history.
A solution with a good sandbox combined with running as an unprivileged user is a hell of an improvement. This means that an attacker who wants to own the machine has multiple hurdles. The more this is the case, the more difficult it is for an automated script to pull off a successful exploit. The fact that the malware is fully automated and can rapidly spread is part of why there are so many botnets and other problems. Think of it as something like a captcha: the more a successful exploit requires a determined human being, the fewer massive botnets there are. Fewer botnets mean less spam and fewer DDoS attacks and the like. Nowhere does the low-hanging fruit of ActiveX (and similarly flawed ideas) fit into that picture.
Parent
Re: (Score:3, Informative)
Full disclosure or what? (Score:2, Insightful)
Why is Secunia (http://secunia.com/advisories/35798/2/) only featuring a link to the exploit of the ff3.5 0day but no link the Mozilla bugtracker?
Don't want to sound trollish but I don't really know how this whole security business works. So can anyone please explain why there is no bug report for the open source browser?
More than multiplying, I'm afraid (Score:3, Funny)
Disable JIT for Firefox 3.5 workaround (Score:2, Interesting)
set javascript.options.jit.content to false.
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ [mozilla.com]
Exploit (FX3.5) (Score:3, Informative)
Apparently, it should crash and open up calc.exe. On my machine (win7 RC1) it crashes bringing up the error report thingy.
No calc.exe for me.
Does this mean I'm "safe"?
I'm using Chrome! (Score:2)
Ha-ha, suckers!
Re:Ohh noes.... (Score:5, Interesting)
Apparently, a lot given that the attacks are becoming more intense and frequent.
My guess is that when Office installs, various ActiveX controls are linked into the OS and by extension, the web browser MSIE. But there are lots of places where this should never have happened.
1. ActiveX has been proven time and time again to be a very bad idea. It is not sandboxed. There is no way to keep it away from the rest of the OS.
2. The web browser's integration with the OS. Not only has it been ruled illegal by various nations antitrust courts, but any exploit of the browser also exploits the OS by extension.
Parent
Re: (Score:2, Informative)
Re:Ohh noes.... (Score:5, Funny)
Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
My head didn't stay unexploded while I wasn't unreading this unstatement.
Parent
Re: (Score:3, Insightful)
Without an unsandboxed version of the win32 api, which is what ActiveX is, they would be unable to deny the ability to use the internet to those without a recent version of windows and office.
With a sandboxed version of the win32 api, which is what ActiveX is, they would be able to allow the ability to deny the internet to those with a recent version of windows and office.
To paraphrase: "IE plugins from Office won't work without Win32 API running with increased privilages"
Took me a while to work it out, though.
Re: (Score:3, Funny)
I'm a little more militant in my opinion of ActiveX.
Dumbest idea EVER. Microsoft has tossed more money down this sinkhole of a technology trying to fill the hole. People, Companies and governments have tossed even more down the same hole fixing issues that directly arise from some ActiveX bug.
How much further along would Microsoft have been along if they had just passed over this DUMB marketing idea anyway. ( It had to come from marketing, it must have, really who else could be this dumb. )
What it's been
Re: (Score:2)
A vulnerability to opening an Excel sheet in IE? How many people do that on a regular basis? How many EVER do it? I dont think I can remember having ever tried to nor needing to. How is this newsworthy?
All it takes is a link to http://example.com/NUDE_PICS_CELEBNAME.xls [example.com]
Re: (Score:2)
Re:Ohh noes.... (Score:5, Informative)
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Excel.Sheet.8\BrowserFlags",00000008,"REG_DWORD"
I didn't put it in place for this vulnerability though, just because a lot of people use macros and don't know how to save as.
Parent
Re:Ohh noes.... (Score:4, Informative)
You are totally correct in saying that Office Web components won't be affected, I was just replying to the previous poster. Still anyone worth their weight as an admin wouldn't install Office Web components on anything.
Parent
Re: (Score:2)
Unless the PHBs think that it's Super Cool to embed Excel Sheets and .PPTs in SharePoint's webpages...
Re: (Score:3, Interesting)
When some one sends me the "Oh please check out my super duper cool Share point embedded Office power point blah blah blah" very important link. I respond.
Sorry Doesn't load on my iPhone.
( I don't really own an iPhone. But iPhone makes them go "Oh crap, iPhones are cooler than this. I'd better re-do it so iPhone's can view it. )
After that it tends to be de-Microsoft'd enough for me to feel comfortable opening the link.
Re: (Score:3, Funny)
Re: (Score:2)
Oh come on, that was funny.
Since when did bashing MS become flamebait, usually the mods reserve that for me bashing Apple.