Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Internet Explorer The Internet

Unpatched IE Flaw Extremely Critical 277

Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."
This discussion has been archived. No new comments can be posted.

Unpatched IE Flaw Extremely Critical

Comments Filter:
  • by A beautiful mind ( 821714 ) on Tuesday November 29, 2005 @12:56PM (#14139312)
    The biggest blip on the slashdot radar over the Thanksgiving holiday was the realization by the editorial community that a slow news problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a short blip of news vulnerability now also allows for execution of arbitrary stories as portraid by Beatles Beatles. The realization caused CmdrTaco to issue a rare 'Extremely Dupical' advisory.
    • Re:Extremely Dupical (Score:3, Informative)

      by Anonymous Coward
      OK, now I know Slashdot's biased, but posting this twice and not posting this [techworld.com] at all?

      All your OS are belong to Sun!
  • by david.given ( 6740 ) <dg@cowlark.com> on Tuesday November 29, 2005 @12:57PM (#14139317) Homepage Journal
    ...pops up a dialogue asking whether you want to be spammed and then spams you anyway when you hit CANCEL.

    Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page? Once an OK/Cancel dialogue is up, you can't interact with Firefox's UI until you've responded to the dialogue and let the Javascript do something, which I think is poor design.

    • by BattleRat ( 536161 ) on Tuesday November 29, 2005 @01:01PM (#14139362)
      The extention you are looking for is called NoScript. It works awesome.
    • Try this NoScript [noscript.net]. It's a whitelist so you can allow only certain sites to use javascript.
    • Lots of people have recommended NoScript, and it works great, but still it is stupid that an accidental error in a Javascript can disable the entire program!

      Even links has this feature!

      Please, please add this in Firefox too! Javascript is not so important that it should take control over the whole user interface. Is there a bug filed on this already, I want to vote for it to be fixed.
    • Jason's Toolbox's Trust Setter [jasons-toolbox.com]

      This program allows you to move sites to and from IE's "Trusted Sites" list. It then is trivial to disable all Java/ActiveX/JS/Cookies in the "Internet Zone".

    • It's incredibly poor design. Considering links allows one to do this, I would expect such a supposedly more featureful browser to support it.
    • That is not a 'popup', it is a flash ad.

      Install Flashblock [mozdev.org]. Use it for a week and you will not know how you lived without it.

    • Out of curiosity, did you hit the x or did you hit cancel?

      IIRC, the JavaScript confirm() function returns three values -- true, false, or null, depending on whether you hit ok, cancel, or x. Unfortunately, most users think x and cancel are the same, and a lot of programmers forget to check for the null -- so when you hit x, you get the default behaviour in the code (whatever that might be).

      The reason you can't interact with firefox until the confirm dialog is finished is actually sort of simple -- it's def
      • IIRC, the JavaScript confirm() function returns three values -- true, false, or null, depending on whether you hit ok, cancel, or x.

        Unfortunately not. I can see that it would be useful to have, but a quick test shows that both Cancel and the Close button return false (on Windows 2000, IE 6 and Firefox 1.0.7). IIRC this is in line with the expected behaviour for such dialogs, although that may vary per operating system.

        Try it: type

        javascript:alert(confirm("blah"))

        in your browser location bar

        • That's very interesting, I wonder how the hell I got that into my head? I don't use those dialogs on a regular basis, but still...

          [Hmmm]

          Okay, I've tested NS4.7/UNIX, but IE 4 won't load anymore.

          Ah... Seems I may be confused with the prompt() function. That's really odd, though, I would've bet a case of beer on my previous assertion.

          Thanks for bringing that to my attention.
    • Does anyone think that a very handy Firefox add-on would be a button attached to this kind of dialogue that would instantly kill all Javascript scripts stone dead for the page?

      No script [mozilla.org] seems to be what you are looking for.

    • I went to the page and I didn't see any ads at all. I don't have Flashblock or NoScript installed, but I do have AdBlock set to "If it moves, shoot it." Loading AdBlock with a good set of downloadable instructions will kill just about anything.
  • and still be vulnerable? I am shocked and appalled. As is well known, any reputable software vendor would release flaw free code that could not possibly cause hidden attacks such as this. Clearly they are the scum of the earth and should be shunned for foisting such shoddy products off on the public. And if you believe THAT, I have this bridge for sale in a ratehr profitable location of a well known American city.
    • by Enigma_Man ( 756516 ) on Tuesday November 29, 2005 @01:09PM (#14139454) Homepage
      Sarcasm aside, yes they should be responsible for what they wrote, even though it's a lot of code, and there are going to be bugs (human nature). It is shoddy software.

      -Jesse
    • The fact that there are lots of critical bugs wouldn't be an issue, if the vendor patched the bugs *before* the exploits are made public. They were aware of the bug for a long time, long before this exploit was developed.
    • by Phisbut ( 761268 ) on Tuesday November 29, 2005 @01:42PM (#14139759)
      I am shocked and appalled. As is well known, any reputable software vendor would release flaw free code that could not possibly cause hidden attacks such as this.

      Although it can be "accepted" that code be released with unknown bugs (because we all make mistakes), the problem here is that the bug report is over 5 months old. It is one thing to ship buggy code, it is another thing to ignore bug reports and not fix your product once the bugs have been found. It is no longer unknown, Secunia has a release date of 2005-05-31 for that bug.

  • by Anonymous Coward on Tuesday November 29, 2005 @12:57PM (#14139326)
    is "IE" the shortented version of the screaming sound that I make when I realize my machine has been compromized?
    "iiiieeeeEEEEEEEEE!"
  • Wow (Score:2, Interesting)

    by gcnaddict ( 841664 )
    Its so rare that most other things never see the light (or lack thereof) of this rating... I dont think firefox ever got an Extremely Critical rating for any of its bugs :P
  • Firefox v1.5 (Score:5, Interesting)

    by Space_Soldier ( 628825 ) <not4_u@hotmail.com> on Tuesday November 29, 2005 @12:58PM (#14139330)
    This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.
    • Surely you aren't questioning the motivations of the powers that run Slashdot, are you? After all we are talking about Zonk or CmdrTaco's honesty and integrity, their sterling reputations, their ..... oh never mind.....
    • Re:Firefox v1.5 (Score:4, Informative)

      by m0i ( 192134 ) on Tuesday November 29, 2005 @03:38PM (#14140843) Homepage
      This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.

      Hrm, did you notice that Firefox 1.5 is crashing as well on this exploit? It's not a security risk but a big annoyance nonetheless.
  • Proof of Concept (Score:5, Informative)

    by Motherfucking Shit ( 636021 ) on Tuesday November 29, 2005 @12:58PM (#14139331) Journal
    Here is a link to the Proof of Concept [computerterrorism.com] page, which will launch an instance of calc.exe if you're vulnerable. AVG Free caught the exploit in the cached page, but calc.exe ran anyway, even after I deleted the file.
  • Temp Fix (Score:5, Informative)

    by Manip ( 656104 ) on Tuesday November 29, 2005 @12:59PM (#14139343)
    Turn on "Data Execution Protection" for all programs and services. Instead of allowing full execution it will limit it to a DOS (crack IE).

    Control Panel -> System -> Advanced [Tab] -> Performance Settings -> Data Execution Protection [Tab] -> Turn on DEP for all programs and services except those I select -> Ok -> OK.
    • Re:Temp Fix (Score:4, Informative)

      by _Shorty-dammit ( 555739 ) on Tuesday November 29, 2005 @01:09PM (#14139446)
      I believe DEP is on by default for IE anyways, so I'm not sure this is even necessary. I just tried the proof-of-concept test on my machine, and all it did was bring up some script prompt, didn't launch calc.exe as it should have. This is with the IE7 beta, btw.
      • Weirdly, DEP isn't ON for IE7 beta, Windows Messenger & Media Center on my system.
        Its ON for other Microsoft programs.
    • Check out vmplayer - it allows you to run live CDs in a seperate virtual machine, runs on linux or windows, and it's free. They even have a pre-built virtual machine which runs Firefox in Ubuntu.

      If I have to use Windows, I run Slax in a virtual machine (use DamnSmall if you're short of RAM - they have a very compact version on their site which runs with QEMU).

      If I have to use Windows and IE, I use Slax KillBill, WINE, and install IE (check out the sidenet installation for IE - it's slick and it works). Th
    • Re:Temp Fix (Score:3, Informative)

      by Ron Bennett ( 14590 )
      Turned DEP on, shutdown/restarted, and still no good - the exploit (calculator comes up) still works :(

      Perhaps hardware based DEP would make a difference, but again, for folks relying on software-based DEP, it's not effective - the exploit still works anyways.

      Ron
      • Sorry I didn't know that... For me, switching on DEP with my P4 (DEP supported) worked fine. It caused IE to crash when the proof of concept was ran (and executed fine without DEP turned on).
  • by Mitchell Mebane ( 594797 ) on Tuesday November 29, 2005 @01:00PM (#14139357) Homepage Journal
    Although it's not as severe.

    https://bugzilla.mozilla.org/show_bug.cgi?id=31733 4 [mozilla.org]
  • by UnderAttack ( 311872 ) * on Tuesday November 29, 2005 @01:03PM (#14139382) Homepage
    The SANS Internet Storm Center [sans.org] has a counter on their home page showing how many visitors to their site are vulnerable to this particular problem. At this time, looks like it is 43%! (and I assume that people checking the site are more security concious then the average). Also see MSIE 0day exploit [sans.org].

  • McAfee Fails It (Score:5, Informative)

    by Orrin Bloquy ( 898571 ) on Tuesday November 29, 2005 @01:03PM (#14139388) Journal
    On my W2K box, McAfee warns me of a threat, then as soon as I close the window, the code executes anyway.
  • Am I the only one? (Score:4, Insightful)

    by LaughingCoder ( 914424 ) on Tuesday November 29, 2005 @01:04PM (#14139395)
    I read the article, and there was a link to a page that demonstrates the exploit. Now, am I the only one who is afraid to click such a link? There is something about seeing a link that basically says "click here to see how we can take over your machine" that sends chills down my spine. I don't know about you, but I never click those demonstration links on *MY* machine.
  • McAfee Catches it (Score:2, Informative)

    by borawjm ( 747876 )
    My virus scanner seemed to stop it on the proof of concept page [computerterrorism.com]. McAfee sees it as JS/Exploit-BO.gen [mcafeesecurity.com]

  • by Billly Gates ( 198444 ) on Tuesday November 29, 2005 @01:06PM (#14139415) Journal
    His name points to an url and he is trying to use slashdot to boast his google pagemark. Move the cursor over the name? His site pops right up.

      Just yesterday a famous spammer did the same thing and posted here. The slashdot editors should stop accepting such stories that are fabricated in order to boast his advertising revenue.
  • Is there a related security bug for Safari? I tried the demo code on it and it does not crash Safari, nor does it run any executables, but ti does put Safari into a pretty unusable state after opening a javascript window full of Chinese characters, I could not find any way to kill just that window and had to quit and restart the application. It looks better than the response of IE or Firefox, but still not the proper way to handle the code.

  • AVG detects it (Score:3, Interesting)

    by bogie ( 31020 ) on Tuesday November 29, 2005 @01:29PM (#14139639) Journal
    When I loaded up IE to test it, AVG detects the virus in IE's temp files. Then IE hangs a while and then finally calc loads. But if you kill IE while your waiting it doesn't get a chance to execute. Not a solution but at least it buys you some time to possibily stop it.

    Either way MS needs to get off their ass and fix the problem. Oh and as if everyone didn't already know, you should be using anything but IE for web surfing.

  • On the proof of concept site, my Internet Explorer blocked a pop-up and did nothing else. Firefox launched another window and then crashed. Why am I supposed to be switching again?
  • by smchris ( 464899 ) on Tuesday November 29, 2005 @01:54PM (#14139863)

    "Currently, the only work-around is to temporarily discontinue the use of Microsoft Internet Explorer and use another browser, such as FireFox, (this can be downloaded for free at www.mozilla.com) until Microsoft can issue a patch."

    Anyone else's bank send out a warning like this bluntly stating that if you use IE, there is nothing the bank can do to protect you?

  • The proof of concept [computerterrorism.com] crashes firefox 1.0.7 (as reported in this thread by numerous others).

    I'm not surprised that IE hasn't been patched, but as this vulnerability has been known for some time (this post is a dupe - not that there's anything wrong with that), but why hasn't firefox been patched yet?
    • Does nothing but cause a (recoverable) hang for me in my FF 1.0.7
      Wait for the alert show up, CPU to max out, and when it falls off
      kill the window and when prompted that it's not responding hit
      cancel. the dailog is gone but the browser remains. Ouch that hurts
      sooooo much.
    • It doesn't crash firefox. It hangs Firefox because it's trying to display a prompt() wherein it must reflow zillions of interesting Unicode characters. Eventually it'll display.

      if you interrupt the busy state in a debugger we're busy in layout trying to
      display the prompt(). Usually in some form of Reflow(), sometimes in font
      stuff, sometimes in Bidi (nsBidiPresUtils::RemoveBidiContinuation?).

      The bugzilla title for this bug is 'hang when long wrappable string is passed to prompt()'.

  • The realization caused Secunia to issue a rare 'Extremely Critical' advisory."

    I'm still waiting for the even more rare "quickly unplug it and step away from the computer" advisory.
  • . . . a sufficient excuse to force users at work to use Firefox. Thank God!

Genius is ten percent inspiration and fifty percent capital gains.

Working...