Web Site Attacks Against Unpatched IE Flaw Spike 268
An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."
Lets say it together: (Score:5, Insightful)
Re:Lets say it together: (Score:2)
Also, being that it is now 2006, maybe we should stop using usernames and passwords for authentication or at least exclusively using them.
The best I have seen passwords work is at Bank of America's online banking.
I don't know the details, but I'm guessing it stores a cookie on your machine if you tell them its your normal computer. If that cookie is not found, then the site will show you a picture and a user defined caption for the picture to prove that the bank is my bank. It then asks me one of 3 or so
Re:Let's be l While We're at it (Score:2)
Re:Let's be l While We're at it (Score:2)
Patch released! (Score:5, Funny)
http://www.mozilla.com/firefox/ [mozilla.com]
Legislation Needed? (Score:5, Insightful)
I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?
If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?
Jim http://www.runfatboy.net/ [runfatboy.net] -- Exercise for Web 2.0
Re:Legislation Needed? (Score:5, Interesting)
Re:Legislation Needed? (Score:2)
Cute. The government appears to be pretty stupid about security. Lets subpoena Google and let them spy on the people for us, yet the DOE and other government agencies typically get Ds or Fs when it comes to security. Proof that they are confused:
http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o perati [nist.gov]
Re:Legislation Needed? (Score:2)
So... when exactly do these scans take place? And can a job be scheduled to uninstall/reinstall automatically?
Better yet: if you just copy Portable Firefox to the hard drive, or even run it from a CD / USB drive, does it still get detected?
The big issue, of course, is why you're forced to use insecure software, but you
Re:Legislation Needed? (Score:3, Insightful)
Re:Legislation Needed? (Score:2)
Sure. But like our Commander in Chief said recently with respect to the ports management fuss, we have to balance the interests of natonal security with those of commerce. Achieving a similar balance with individual rights and freedoms, on the other hand, I guess is out of the question.
The moral of the story is that if you're a big company or a monopoly, your interests count. Unl
Re:Legislation Needed? (Score:3, Insightful)
> Internet Explorer, how can the US Gov. not justify action in insisting these issues
> be resolved promptly?
No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploit
Re:Legislation Needed? (Score:4, Interesting)
This means that in closed source, the developers are the "lawyers" who proof-read the "contract". Though, agreeing to a secret contract may not be the best idea (not like I've read the Linux/BSD/* source), but that is another issue.
This means that we have to trust the developer's judgement. In this case, we have to trust that the developers will fix it as soon as possible. If that is legislated then rushing may occur to meet deadlines, possibly leading to more bugs.
I think we should hold companies responsible for errors, where a EULA cannot absolve them from the responsibility provide the services that they promised at the time of purchase, let alone any loss/theft of data. If managers had to factor in "cost of bugs" then I suspect developers would be given more time/resources to fix problems.
Depends on the nature of the beast/bug (Score:2)
That why I stay with #2 or #3 (Score:5, Interesting)
Not really (Score:3, Informative)
In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and
Re:That why I stay with #2 or #3 (Score:2)
Indeed - I do likewise, which is why I choose to run IIS (tm) on all my webservers, having a lower profile then Apache has made it far less likely to be attacked.
Seriously - whilst there is correlation between popularity of a project & number of attacks, there is no link between popularity and number of vulnerabilities.
A well written application is a well written application, regardless of popularity (look at openSSH).
Re:That why I stay with #2 or #3 (Score:3, Funny)
Re:That why I stay with #2 or #3 (Score:3, Informative)
No, it's not just that people don't go after other browsers quite as much. Most of the time, only Internet Explorer has known highly critical security flaws. From this chart [wikipedia.org] you can see that IE for Windows has had a known highly critical vulnerability for over two years. Currently, the only other browser that has such a serious flaw is Mozilla, and that's been for less than two months — and that
Now that's a solution! (Score:4, Insightful)
Sure I could guess but which ones exactly would those be?
Re:Now that's a solution! (Score:3, Funny)
Re:Now that's a solution! (Score:2)
Don't worry dude, you'll know soon enough.
Re:Now that's a solution! (Score:2)
It's so sad. The Internet (well, the WWW) is all ABOUT unfamiliar web sites. That's how we discover and learn. We're not going to know (abstract or specifically) who runs alot of the websites we visit, and any number of them could be hosting malicious crap, or fantastic insight, or both.
It shouldn't be like that. People shouldn't have to be afraid of browsin
Health inspectors: Was Re:Now that's a solution! (Score:2)
It's like a restraunt that you've never been to, how do you know that you will not die of food poisoning?
Luckly for us, restraunts are randomly inspected by health services and get a score around here.
Maybe its time for random website inspections to see what kind of crapware/spyware/scripts are on them, sounds like a good place for a firefox plugin.
Re:Now that's a solution! (Score:2)
dunno, but siteadvisor [siteadvisor.com] gives me a nice green tick in google search for those that are supposedly safe... ooh you're in luck, there's an IE version [siteadvisor.com] as well as a Firefox one... but I wouldn't know if it was actually safe to visit them using IE
Re:Now that's a solution! (Score:2)
Microsoft's advice is invalid to that end.
"... said he's not sure which site he browsed..." (Score:5, Funny)
nope (Score:2)
So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?
Re:nope (Score:5, Funny)
Re: (Score:3, Interesting)
Re:"... said he's not sure which site he browsed.. (Score:5, Insightful)
Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.
Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.
*sigh* (Score:2)
I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.
I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.
When will they learn?
Re: (Score:2, Informative)
Re:*sigh* (Score:2)
The majority of new browsers (NOT browser installations) are heading towards full standards compliance, so it is in fact IE which is the odd one out despite having the largest slice of users. Since developers get pissed at having to design specifically to work around IE's problems, MS is now seeming to make an effort to meet standards with regards to CSS etc.
Re:*sigh* (Score:3, Funny)
I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.
As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase
Re:*sigh* (Score:2)
So why don't they program firefox to render pages the same way IE does it?
Because IE is displaying them incorrectly and is not standards compliant. Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct. The most intelligent thing you could do is write your web pages for Firefox and then have Javascript that munges the IE-specific parts so it displays "correctly" for users using the broken IE browsers.
Re:*sigh* (Score:2)
The sad thing is, I actually had to try that. Says a lot for their reputation, I suppose.
Re:*sigh* (Score:5, Informative)
4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.
(FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)
Re:*sigh* (Score:4, Interesting)
wow.
you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
I still can't believe this.
"Hello, Microsoft Support"
"yeah, I've got a problem with the calculator"
"ok"
"yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
"oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."
Re:*sigh* (Score:2)
To be honest, between all the bugs, quirks, and unexpected behaviour I doubt even Microsoft could program a web browser that renders pages the same as IE does. (Hell, whenever they release a new version, webmasters always seem to complain about it breaking their pages, and IE 7 probably won't be any different - but they have to live with it).
Re:*sigh* (Score:2)
As far as "So why don't they program firefox to render pages the same way IE does it?" there are 2 reasons.
#1) IE sucks at rendering things. (Try the ACID2 test if you don't believe me)
#2) IE is proprietary, they can't get the source code (legally).
In other news... (Score:5, Insightful)
Here we go again.... (Score:4, Informative)
Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.
Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:
http://news.bbc.co.uk/2/hi/technology/4849904.stm [bbc.co.uk]
Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.
I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.
Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.
Re:Here we go again.... (Score:2)
Here's why: nearly every day, when I come into work, I have a request from a user to "enable IE" for them. See, in our office, we've locked down IE (using privoxy) so that it can only go to certain, "approved", sites. Users usually want to use something like MSN Video, which will not run on anything but IE, and, desp
Serious Question (not flaimbait) (Score:3, Interesting)
If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...
Re:Serious Question (not flaimbait) (Score:3, Insightful)
What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?
What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it wi
Re:Serious Question (not flaimbait) (Score:2)
They already do (Score:2)
Will IE in Vista be in managed code? (Score:4, Interesting)
Re:Will IE in Vista be in managed code? (Score:2)
Not Helpful In Terms of Security (Score:3, Interesting)
Was the City of Tuttle, Oklahoma... (Score:5, Funny)
Keep an eye on this one.. (Score:5, Informative)
This is a little like the WMF flaw [microsoft.com] that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.
Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS [microsoft.com] for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.
Windows is more secure. (Score:2, Insightful)
But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues t
IE7 beta2 is the solution? Not for 2K users (Score:3, Insightful)
That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?
They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?
Just another reason not to go with Vista. Another Mac convert on the way.
Re:IE7 beta2 is the solution? Not for 2K users (Score:2, Informative)
Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a
Re:IE7 beta2 is the solution? Not for 2K users (Score:2)
Use IE to browse your own website only (Score:2)
easy fix in XP (Score:3, Interesting)
Software Restriction Policies (Score:2)
Blocking just temporary internet files is obviously not fool proof (the exploit code itself could download files to another location besides the temporary internet files folder) but it does seem likely to break any malware that's written to have the browser do the work of caching scripts from the website ahead of time. (Does IE work that way? Cache scripts fully, even if they contain code that i
DISABLE ACTIVEX!!! (Score:2, Informative)
I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda lik
Re:DISABLE ACTIVEX!!! - Corporate users can't (Score:2)
Repeat after me--"Use FireFox" (Score:2)
I know I'm preaching to the choir, but maybe we need another round of "Spread the word". I keep the "Open in IE" function available for emergencies (like a root login), but by default I use a browser that is not so heavily integrated into the OS, is lighter weight and is peer reviewed.
Why aren't we ALL insisting on these features wherever possible???
What webserver software is getting commandeered? (Score:5, Insightful)
So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?
I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...
Re:What webserver software is getting commandeered (Score:3, Insightful)
I think it's any webservers whose webmasters use IE. Lemme explain:
1) a dumb webmaster has his PW for his webspace stored in windows
2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues
Anyone.. (Score:2, Funny)
"...hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors)."
I see two things...
And the bottom line is ... (Score:3, Funny)
BEATS HEAD SLOWLY AGAINST BRICK WALL.
THIS IS UNSATISFACTORY.
GOES OUT AND FINDS granite WALL.
BEATS HEAD AGAINST IT.
MUCH BETTER!
Re:linking=vouching for (Score:2, Insightful)
Re:linking=vouching for (Score:5, Informative)
More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.
Re:linking=vouching for (Score:2)
So how do these sites get hits? Are they Good sites that have just been compromised?
The most common scenario right now is a server is hacked, then e-mails and IMs are sent out with links to it. I don't know of any really popular sites that have been hacked to include this.
Just a rough guess: Adware (Score:2)
User installs $program. $program comes with $adware because someone's gotta pay, since the user doesn't really like paying for his software. Yes, he could switch to free... let's drop that idea. Requires brains.
$adware sells space on their servers (or they sell linking to pages containing ads). $adware displays $infected_site.
I can't prove it yet, so I won't post which company I consider responsible. But it's strange, every single computer I get into my hands that contains a trojan tha
Re:Just a rough guess: Adware (Score:2)
Re:Just a rough guess: Adware (Score:2)
The edges between botnetters, phishers, adwarers (is there such a word? If not, can I copyright it?) and spammers are blurring rapidly. Adware is bundled with applications. Other malware writers use them to infect computers. They sell the "foot in the door" to other malware writers. Spammers buy botnets to send out phishing mails or spreading more malware...
Re:Ugh (Score:3, Funny)
Ugh (Score:5, Funny)
Re:Ugh (Score:5, Funny)
Re:Ugh (Score:5, Funny)
If that isn't the Most Slashdottish Comment Ever.. (Score:2)
Re:Ugh (Score:2)
Jeez! (Score:2)
Re:Jeez! (Score:2)
Re:Ugh (Score:3, Funny)
Godwin explodes. Details at 11.
~W
Coming soon on slashdot (Score:2)
Next! On Slashdot!
Grammar Nazi vs. Spelling Nazi deathmatch!
Sponsored by Uwe Boll films, ltd.
Re:Ugh (Score:5, Informative)
"Website Attacks Against Unpatched IE Flaw Spike"
Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"
It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.
(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)
Re:Ugh (Score:2)
Re:Editors (Score:2)
Re:Ugh (Score:2)
from dictionary.com: http://dictionary.reference.com/search?q=flaw [reference.com]
tr. & intr.v. flawed, flawing, flaws:
To make or become defective.
Re:Ugh (Score:2)
Re:Ugh (Score:2)
Don't feel bad. I didn't even notice the mistake until the GP pointed it out and I went back to check. Then I was like "How the hell did I miss that?"
Normally I'm pretty picky about speelung/ghramhur, and don't make those kinds of mistakes myself, but I guess I've read so much
Yet another thing to add to the list of "You know you read too much
Re:Ugh (Score:2)
You mispelled "broked".
Re:Ugh (Score:2)
Re:Ugh (Score:2)
That's a result of the well known TCP/IP property of out order packet delivery and a bug in slashcode. The actual title should read "Satanist geek act: balances a wife with kit pups." The article somehow got lost; it was about a company that's offering an AIBO replacement in kit form in exchange for souls.
Re:Yep... (Score:2)
Re:This is becomming not funny (Score:3, Funny)
Re:Time to really, really sue/open up microsoft (Score:2)
Easy. Because of the EULA.
Enter Sherlock Holmes ... (Score:2)
From that one line I deduce that you've never worked at Oracle. There are still some talented people there, but much of the top talent has long since jumped ship.
Re:Enter Sherlock Holmes ... (Score:2, Insightful)
I guess I dont understand IT Pro's who arent fanatical about IT and therefore are at least aware of issues like this one - although I admit that I have failed to patch windows boxes when needed to ensure that my dev or production environments stayed stable.
I figure that if you dont patch though you dont get to whine. - Before I get flamed on that point obviously you can only patch when y
Re:a programmer for Oracle Corp (Score:3, Funny)
I doubt he talked to his boss before blabbing that one.
Re:IE Again (Score:2)
Additional prefixes (Score:2)