The First Windows 7 Zero-Day Exploit 289
xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."
OMG what if my computer doesnt have a white button (Score:5, Funny)
What are my options? New computer?
Re:OMG what if my computer doesnt have a white but (Score:4, Funny)
Simply use Wite-Out, or Liquid Cover-Up, doesn't matter what button, as long as it's white.
How is this zero-day? (Score:5, Insightful)
OK the exploit is almost a week old already. How is this "zero-day"? In the immortal words of Inigo Montoya: "You keep using that word. I do not think it means what you think it means."
Are you trolling? (Score:2, Informative)
The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog.
Quote whole sentences...
Re: (Score:2)
That still doesn't make it a zero-day. Zero-days appear in the wild on the day of release.
Re:Are you trolling? (Score:4, Insightful)
So you're saying that it can only be described as zero day on that day, and thereafter it cannot be called a zero day exploit, but a n-day exploit where n is the number of days since it was announced?
Sorry, but while you may be *lexically* correct, I think everyone with two brain cells that are on talking terms knows what is being referred to by a "zero day" exploit, even when referring to an exploit not released on that day.
Re: (Score:3, Informative)
In the context of security exploits, zero day means that the patch is unavailable from the vendor. The original term zero day was stolen from the warez scene where "Zero Day is a state of freshness" (tm). In order for a warez release to be zero day it had to hit the site before it hit the store shelves. Usually that would mean that it came from Europe, or was released by someone who worked at the company putting the game out.
Re: (Score:3, Funny)
loses it's [sic] meaning
your [sic] plain wrong
That last one might be ironic.
xx
Re:Are you trolling? (Score:5, Funny)
I tried blaming my keyboard once. It just stared back at me knowing that it had done nothing wrong and I couldn't prove otherwise. The little bastard had me in a corner and the other people in the office were staring at me.
Re: (Score:3, Funny)
Actually, the grandparent poster is correct. Zero-day means just that. What you're talking about needs a different word.
I believe the term "Windows exploit" in itself adequately covers that it was quickly and easily discovered and abused.
Bonus points for stating that anyone who thinks differently from you must be stupid.
Damn Mac users eh?
Re:Are you trolling? (Score:5, Informative)
I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.
In the case of an exploit floating about in the wild where there has been no patch made available is a zero day because I have had zero days to patch my systems before the potential for easy exploitation.
Re: (Score:2)
Re: (Score:2)
The point of "zero-day" is that you have zero days to patch your system before exploits appear. For example, if the exploit was found by researching an existing exploit.
If a security researcher found it, and it's not actually being exploited (yet), then it's not zero-day.
It's not a difficult term, I'm not sure what the problem is here.
Re: (Score:3, Informative)
Re: (Score:2, Interesting)
Re:How is this zero-day? (Score:5, Insightful)
Nope! It's the number of days between the release date and today.
I find little use in a definition that depends on today's date. Especially because I can read articles from saturday and they will call it 3-day, which gives me no information.
A zero-day exploit is one that is created before a fix is available. It is more severe than others because no version of the target software is safe, even if it is constantly updated. Any security expert knows the implications of this, and how to take it into account when assessing the risks.
Re: (Score:2, Informative)
We're talking about exploits in the wild. If the developers or security researchers discover the bug and patch it before any malicious third party does, there you go. This is very frequently the case, which is why you see so many stories about exploits being crafted by reverse-engineering vendor patches.
If you're going to be a little sarcastic douchebag, at least be right about something.
Re: (Score:2)
PS how, exactly, would a malicious third party patch a bug? If you can't tell me for security reasons it's OK, I trust you. You're a security professional!
Is this part of the trolling or are you also trying to be a grammar nazi here? I assume he meant.... "If the developers or security researchers discover the bug and patch it before any malicious third party discovers it [and exploits it]"
Re:How is this zero-day? (Score:4, Informative)
You're just being idiotic now.
Here's an easy, plain vanilla example for you to understand:
Firefox releases Firefox 4.0. In the patchnotes they say "- Found and fixed a bug allowing a website to catch your computer on fire.".
Some anxious teenager reads that and says "Holy shit! I bet a lot of people haven't upgraded yet. I'm off to craft up an exploit . . .". A week later he has it ready.
Millions of computers smolder in ruin. Most importantly though, the fix was available BEFORE the exploit was, and therefore it was not 0-day. End of story.
Re: (Score:2, Informative)
Simple: malware writer downloads the patch for $SOFTWARE, reverse-engineers it, understands the bug and creates the malware. If he is fast, there is still a large number of vulnerable machines around that it is worth it, and is a much cheaper than finding the bug, which generally involves having an illegal peek at the code or very good intuition.
And BTW your repeated references to the movie are not making you look a geek, more like a wannabe that does not know the first thing.
Re: (Score:3, Funny)
Re: (Score:2)
Replying to undo an accidental moderation that didn't deserve it.
Agreed that "zero day" has almost no meaning these days. Pretty bizarre when companies actually brag about their "zero day exploits" and promise a fix... several days from now?
That's setting a dangerous precident. (Score:2, Funny)
The very idea of undoing your own powerful moderation use -- even if (especially if) you used it mistakenly is very un-slashdot of you. You're supposed to stay completely anonymous in your abusive mistake, and use those points to call all opinions you don't agree with either redundant or flamebait. Didn't you read the destructions the first time you got mod points?
Re: (Score:2, Insightful)
A zero day exploit is an exploit that exists before the developers of the application are aware of the bug/flaw being exploited. It does not seem unreasonable to keep refering to it as a zero day exploit even after the details of the bug and exploit have been published, how else would you refer to it, e.g. "the exploit formerly known as zero day";
Re:How is this zero-day? (Score:4, Funny)
Exactly.
It's not as though Windows exploits are a scarce event. There'll be plenty more where that came from, so you can be semantically correct next time.
Re: (Score:3, Funny)
So, we'll see you next Tuesday? ;)
Re: (Score:2)
Well give it some time. They said the same about 95, 98, NT, 2000, XP and Vista... 7 isn't widely used out there just yet.
Re: (Score:2)
Point of fact, for quite some time they were saying that windows ME was better than windows 98 second edition (in fact right up until xp was due to be released) and windows vista was better than XP (right up until windows 7 was due to be released). Here's betting they, in the not too distant future (couple of years or so), they say windows 7 is crap and you really need to upgrade to windows 'whatever' for more reliability, stability and security ;D.
Re: (Score:2)
Who was claiming Vista superior to XP? I bet you'll find "they" had a vested interest in selling the latest and greatest. Microsoft wouldn't have needed to publish the 'Mojave' ads if there wasn't a widespread belief that Vista sucked. And as for Windows ME, I've been using windows since 3.1 was new and exciting, so I know better. Don't try to push some revisionist belief that anybody but Microsoft and their fanboys liked windows ME.
Re: (Score:3, Informative)
Why are ports 139 and 445 still open? (Score:5, Interesting)
I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?
Re:Why are ports 139 and 445 still open? (Score:5, Informative)
Even weirder - on a machine which isn't on a domain, but which has a software firewall, you can open *every* port to a destination machine (e.g. a fileserver) and it *will* access the SMB shares of that fileserver (\\ipaddress\c$ etc.) but takes forever the first time because the broadcasts have been blocked by the firewall. So it doesn't need the broadcasts, or to be on that domain, or to do anything that isn't direct IP with the target machine - but it still takes forever to realise that and just start listing files.
And once you've done it once, that file sharing will run at full speed for the rest of the day. I'm imagining some sort of name resolution etc. issue (but the PC in question can actually use the same machine for DNS and still have the problem) but if it's not *required* to connect to the machine, why does it try anyway and hold everything up? And the firewall only ever reports NetBIOS traffic while that's happening.
Re: (Score:3, Interesting)
I don't have your problem, and never have had. When I have DNS working and windows set to go to DNS for netbios name resolution, then everything works OK. What I *do* have now is that GNOME VFS will refuse to connect to a server on the first attempt (and fails quickly) but works immediately on the second. I wonder if that's related somehow.
Win 7 Firewall (Score:4, Informative)
Re: (Score:2)
Overall I am actually quite impressed (gasp! shoot me now).
I think you're in good company. I just recently saw a poll on a site I visit with about 3600 votes on what OS they were running:
Win 7: 47%
XP: 23%
Vista: 11%
Mac: 10%
Linux: 8%
Yeah I know not exactly representative... but at least among Windows users I'd say early adopters, and clearly Windows 7 is a hit. It's completely killed Vista, and even those coming from XP seem happy. I think you can push the "Year of the Linux desktop" back another few years, I'm happy on Linux but any window Vista gave it has closed.
You need to block *outgoing* ports (Score:5, Informative)
The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.
If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.
Re: (Score:2)
Does this mean that you can browse the to network shares?
Ball kicking time (Score:5, Insightful)
Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.
Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.
Re: (Score:2, Interesting)
People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem. Maybe the person who was supposed to write the input protection piece forgot to do it because of a miscommunication. (one of the downsides of working on a project where the job is split between thousands of developers)
Given that Windows has more lines of code than just about any other software in existence, it's actually fairly impressive how well it h
Re:Ball kicking time (Score:4, Interesting)
Why is that?
Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.
Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.
Re: (Score:2, Funny)
Re: (Score:2)
Maybe it needs to be this complex, maybe it doesn't. Fact is, the majority of the desktop apps in the world are still run using a variant of windows, and for the moment it does not look like that fact is going to ever change.
Microsoft cannot remove much code and maintain compatibility with legacy apps.
Well, they COULD, but using emulation....
Re: (Score:2)
You don't need ReactOS to prove your point - the difference between Vista and XP is enough. The number of background applications run as services exploded in Vista... and as a nice side effect, it's nearly impossible, even with Process Explorer, to see what is slowing down your machine.
Usually it's disk I/O from background processes like antivirus, windows update (anyting MSI related seems to totaly hog the system), or file indexing. But lots of the time it's just one of 10 services.exe or svchost.exe ent
Re: (Score:2)
Given that Windows has more lines of code than just about any other software in existence
Why is that?
Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.
Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.
given that Linus thinks Linux has gotten bloated, is indicative that it is a natural decay that is incumbent to modern desktop OSes. Not that it is necessary, but due to the scope and size of modern Desktop Oses, it is a natural side-effect, that once aware of can be combatted in OSes that are run by dedicated volunteers, but unlikely in any commercial OSes. I agree that given the development environment Windows holds up well. It's just the wrong development environment.
Long live FOSS, the right developme
Re: (Score:2)
That's never going to happen. Both are open source projects, they share code so will always be at or near parity.
Re: (Score:2)
assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking
Re: (Score:3, Interesting)
assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking
It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met. In the putative scenario of a loop coder thinking he was protected by input protection located somewhere else, the assert would only fire if the right test case was constructed. For all we know there is an assert in the code, but it won't help us in a release build.
Re: (Score:3, Interesting)
C99 specification says that defining a NDEBUG symbol can be used to prevent compiling the assert() into the program. That means it is not a debug option, and should normally be present even in release code unless specifically disabled. Far far better for the program to fail
Re: (Score:2)
Re: (Score:3)
People make mistakes. A company that has produced some of the richest people in the world and has extracted billions of dollars from the world's economy should have some processes in place to insure that bugs found years ago do not creep back in. It's called regression testing.
Re:Ball kicking time (Score:4, Informative)
Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.
The Microsoft approach is to collect the money and get their customers to agree that everything that goes wrong is their fault. It's at least as good protection for them as writing decent code and many times cheaper.
That will be some code review (Score:3, Interesting)
Re: (Score:2)
Every OS in existence has received patches. OS X, Windows, Linux, Unix, BSD (even OpenBSD). Ubuntu Linux 9.10 has been out less than a month and I've already been received 90 odd patches and it still has a critical ext4 file corruption bug.
I expect that even if MS rigorously tested the code (and I expect they did), used code coverage tools to ensure good quali
Allow me to introduce you to Mr. Turing... (Score:2)
Loops 101: prove that the loop terminates under all conditions
That one's gonna prove to be just a little difficult [wikipedia.org].
Re: (Score:3, Informative)
Don't they do code reviews at Microsoft?
Yes they do.
Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.
"Terminates under all conditions" is a little difficult to prove in any non-trivial situation.
Seriously, that's the difference between a hacker and a software engineer right there.
The former bitches and moans on Slashdot, and Microsoft hires the latter?
If you don't take the time to fix it early, you'll just have to fix it later.
Maybe you should send Micr
Re: (Score:2)
That reminds me of my favorite Java n00b null check (I've seen this in the wild):
if (myObject.equals(null)) ....
Not much of an exploit.. (Score:3, Funny)
No remote code execution? Boring. Let's see if some people out there could weaponize it and throw it into a metasploit module. Then it's interesting.
Re: (Score:2)
My concern is that if an exploit causes a crash, eventually someone can find a way to make the exploit run on injected code. It is likely only a matter of time before someone does this.
It is my understanding that because any such method would immediately turn a whole load of DOS attacks into arbitrary code execution, that all OSes take great care to prevent that (well apart from Linux where ASLR is broken and wine prevents high address space protection). I mean it is possible that an exploit will be found but such an exploit is going to be tricky to develop (something akin to the null certificate, rather than just a windows exploit of the week attack), so don't let it keep you up at night
Well researched article, that... (Score:4, Funny)
From the article:
"Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies."
Good to know that blocking ports 139 and 445 will block browsers, we wouldn't want people actually doing that, after all!
Re:Well researched article, that... (Score:5, Informative)
The author probably confused the browser service - which is for lan filesharing - with a webbrowser. Not that that confusion gives me much faith in the rest of the article; what other "details" are equally mangled?
Secured by Default (Score:5, Interesting)
Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.
Re: (Score:2)
Yeah, I was wondering which firewall was being referred to: at the network level, or at the machine (i.e. Windows firewall) level? Would doing at the machine level make it hard for others to access shared folders? It seems these days that most of the computer issues (viruses, trojans, etc) have come from other machines on the corporate network, so a network level firewall is only have the story.
Re: (Score:2)
Even for Home or Work / Domain profile, the default for "Network discovery" may be on, but "File and printer sharing" is off.
(I could be wrong because it could be my company's group policy turned it off...someone could cross check)
Re: (Score:2)
so this would have to be an internal DOS attack realistically.
Just the thing you need if you don't like your IT staff and they've just rolled out a Windows Server 2008 box...
Re: (Score:2)
Not inbound, but *outbound* (Score:2)
See my comment above:
http://it.slashdot.org/comments.pl?sid=1444692&cid=30114230 [slashdot.org]
pushing the white button?? what does that mean? (Score:5, Insightful)
I checked all the Windows machines here. None of them have a white button on them anywhere. What does this mean? Does the poster just mean powering the machine off and then on again?
Too many times on Slashdot, when people should be informative, they obfuscate the information it in failed attempts at being clever.
Re: (Score:2)
Re: (Score:2)
No - no white button in Win 7, and even if there were, if the machine has locked-up a UI component wouldn't do much good.
GP is correct, the submitter is trying to be clever.
Re: (Score:2, Funny)
Re:pushing the white button?? what does that mean? (Score:5, Funny)
#3043-001 USB White Button Kit........34.99 + Shipping
Ideal for computers not shipped by the manufacturer with a White Button pre-installed.
A White Button is essential for all Windows Users. Upon a system failure, Denial of Service attack or crash, pressing the White Button releases a scientifically-formulated, airborne scent of soothing essential oil fragrances, including: Verbena, Sweet Orange, Roman Camomile and Ylang Ylag.
At the same time, one of a number of pre-programmed actions are triggered while you listen to a random selection of 10 relaxing 'mood music' tracks.
Basic actions include:
1) Reboot
2) Call my IT Support department
3) Call the manufacturer's support department and cancel my evening dinner arrangements
4) Reinstall current OS
5) Reinstall current OS after backing up all user data
6) Wipe and install CentOS
7) Wipe and install Ubuntu
8) Order me a Mac
9) Order me a Big Mac, fries and a Coke
Secondary actions can also be triggered from:
A) Call Microsoft HQ every 'x' minutes and shout 'Fuck it' down the line.
B) Post my CV to Linux-only job sites
C) Rub my shoulders (Requires optional add-on #RS01)
D) Dial local suicide help line
A deluxe version of this item is available (#3043-002, 139.99 + Shipping). This model includes an external 10" LCD panel that can display random pages from a number of Web sites (slashdot.org, fark.com, silicon.com, cloudappreciationsociety.org and todaysbigfail.com)
Extras and consumables:
* #3043-S01 Replacement aromatherapy scent cartridge - pack of 12
* #3043-S02 Replacement mustard gas scent cartridge sold singly, no returns
* #3043-M01 Extended play music ROM - an extra 4 hours of music (for Dell Support customers)
* #3043-P01 Enlarged White Button with face of Steve Ballmer on top. Comes complete with real wood mini hammer and elastic band-powered mini crossbox with safe-tip(TM) arrows (pack of 12 buttons)
Terrifyingly potent (Score:5, Funny)
A maliciously crafted URI could hard-crash affected machines beyond any remedy
Oh no! A PC-killer!
besides pushing the white button
A reboot? Well, it's an unorthodox and extreme solution to a machine crashing, we'll have a hard time convincing Windows users to do that.
Re: (Score:2)
The point is that it requires a hard reboot; the machine becomes unresponsive and doesn't throw a BSOD so you can't restart it with a three finger salute.
Re: (Score:2)
Any bets on whether the reset button will wear out before the 'D' key?
I have to ask (Score:3, Interesting)
In my ignorance, I have to ask: What's so special about 139 and 445? What do they do normally, and why would blocking them help? No, I didn't RTFA. I'm too tired for this :P
Re:I have to ask (Score:5, Informative)
139 is NETBIOS, 445 is SMB.
139 is used for discovery and browsing of network shares (Primarily on legacy machines), 445 is the "current" port for accessing network shares.
Answer (Score:5, Informative)
What's so special about 139 and 445? What do they do normally, and why would blocking them help?
Here's a list of assigned port numbers: https://www.arin.net/knowledge/rfc/rfc1700.txt [arin.net]
Re: (Score:3, Informative)
This ports are always closed, if they aren't your system is already infected.
My computer doesn't have a white button (Score:3, Funny)
... they're all black ... you insensitive clod.
Re: (Score:3, Funny)
I call it Computing with Thrills (TM) ;)
Re: (Score:2)
Re: (Score:2, Informative)
"Pay packet?" (Score:4, Funny)
Mine turned out to be maliciously crafted.
Firewall wont help. (Score:3, Informative)
Since the exploit is possible without any user interaction all it takes to bring down a corporate network is one single machine running the xploit locally. A simple broadcast and every machine running w2kr2 or Vista7 will be dead until someone pulls the plug.
Im also very surprised that Micorosft didnt audit the code properly after the last hole. You would think that the former xploit would ring a couple of bells since it was big enough for a truck to run through. Im beginning to suspect all the talk about SDL, reviews and stuff are nothing but PR.
Zero day (Score:3, Interesting)
Erm... no. Not quite. (Score:5, Insightful)
"As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."
I respectfully disagree.
Any IT staff worth their pay packet should have EVERYTHING blocked at the firewall, then open holes for things that you can be certain you need. Ideally, those holes don't go direct to systems on the company LAN but instead to a DMZ.
Re: (Score:2)
The article left out the word "outbound". If you block everything (outbound) at the firewall, you are going to have some unhappy staff.
Re: (Score:2)
Wait, if your blocking everything inbound, and now we need to block everything outbound....
I will sell you my new "loose wire" protection system, it stops ALL remote exploits and costs just $11.99 a month (per seat) to implement!
Yes, any admin... (Score:2)
...but what about home users?
This reminds me of the days of "winnuke" and blue screening IRC users back in the dialup days. Port 139 is probably already blocked at the firewall on even most of the most trivial configurations. But attack vectors aren't always direct. At times attacks are relayed through a malware infected machine giving a remote attacker local, "behind the router/firewall" access to all the other machines on the network.
Re:Yes, any admin... (Score:4, Funny)
...but what about home users?
What, you don't have an IT staff at home?
Sorry guys (Score:2)
This was my idea.
I'm used to it (Score:2, Interesting)
This god damned code of windows sharing keeps bugging us for years! I've been 10 years net admin at a university with over 25K connected computers, and as long as I remember, port 445 and 139, 137 are always the target!
How bad a code can be??????
IT staff? (Score:4, Insightful)
Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."
The reader xploraiswakco needs to pull his head out of that dark place and realize that my wife doesn't have an IT staff (I refuse to do Windows). I would even dare to say that most people don't have an IT staff at home. It's a stretch, I know, But I'm the kind of guy that takes chances like that.
Does reader xploraiswakco carry an IT staff with him in case he needs to use a wifi hotspot some place?
Re: (Score:3, Insightful)
Ok, pisshead .
Windows 7 is firewalled...out of the box even. Unless of course, she wants to USE the functionality that was advertised.
Now, explain to us why me not taking the time to learn an operating system that wasn't fit for the trash bin 10 years ago makes me an "inconsiderate dick"? Why should I spend one more minute on the products of a company that has done nothing but hold back the advancement of personal computing when I have a perfectly good product that cost me nothing and gives me the power t
Yet again ... (Score:3, Informative)
From NT, XP, Vista, Windows 7 ...
When are they going to learn that EVERY port from 0 - 65535 should be disabled by default, and only enabled if the user chooses ?
Does this affect Samba (Score:3, Interesting)
and the Linux Kernel SMB support? If it does, we've got a major problem as they now have a method of taking a whole batch of sites down.
Re: (Score:2)
So just block them at the firewall going to the internet, instead of in the core office switch.
Re:buttons (Score:5, Funny)
Re: (Score:2)
And the everyday user is smarter then that. I mean that is why we don't need resident virus scanners. Users are smart enough not to click anything sent to them.
Of course you could send them a page that simply runs a little javascript hitting as many IP's as possible behind the scenes, or even a downloaded exe that scans the network to find good targets for attack.
Users will run anything.
Re: (Score:2)
You've got the concept right, but you don't need to click on a malicious link in your browser. Simply visiting a malicious/compromised site in IE is enough. Or viewing a malicious email.