Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Warns of New Video ActiveX Vulnerability

Soulskill posted more than 5 years ago | from the like-one-of-those-pothole-signs dept.

Security 146

ucanlookitup writes "Microsoft has warned of a 'privately reported' vulnerability affecting IE users on XP or Windows Server 2003. The vulnerability allows remote users to execute arbitrary code with the same privileges as the users. The vulnerability is triggered when users visit a web site with malicious code. 'Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability.' The advisory can be found at TechNet. Until Microsoft develops a patch, a workaround is available."

cancel ×

146 comments

Sorry! There are no comments related to the filter you selected.

Isolate! (3, Interesting)

sopssa (1498795) | more than 5 years ago | (#28607013)

Once again the problem here is too tight integration with other part's of the OS. Yeah, IE is the most used browser and as such a major target for exploits, but some separation from other parts of OS wouldn't do any harm. Or atleast make it optional to use such; You won't be automatically affected by Flash or PDF exploits if you choosed not to install those. Just another reason to use alternate browsers like Opera [opera.com] or Firefox [mozilla.com] , seeing it only affects IE users.

That being said, you dont need admin priviledges for some malware to do its job, botnets and such easily run within user priviledges aswell. Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it.

The fun thing is, there always seem to come exploits for IE and Firefox. Very rarely for Opera. That makes me think they've made some good fundamental decisions on design and programming and know how to secure code from exploits, specially because they have major marketshare (better than IE actually) in CIS countries like Russia and Ukraine [opera.com] and you would be thinking the local hackers would be trying to break it apart and exploit every possible thing on it. Hats off to them, really.

With these ages, isolating browser from the OS and even virtualizing it in its own environment that's cleaned when browser is closed starts to be a must, and I dont really see why they aren't doing it already. It would save people from so many trouble, and wouldn't affect performance at all.

Re:Isolate! (5, Interesting)

Anonymous Coward | more than 5 years ago | (#28607181)

Internet Explorer 7.0 and 8.0 already do this in Vista. By default it runs in a double sandbox where even if the current user has admin privileges the process runs as a standard user that is further constrained to only be able to read certain parts of the file system but not write. Anything beyond that requires negotiation via a specific broker process just to attain a level of security equal to that of a standard constrained user.

These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process. That plug-in runs in-process with the same rights and privileges as the hosting process. If there is a vulnerability in a PDF plug-in on Linux then it can be exploited through Firefox and there is nothing Firefox or Opera can do to prevent it and it would likely affect all browsers equally.

I agree that the answer appears to be to isolate and constrain. That is what Microsoft has done and Google is following suit. That is why this vulnerability does not affect Vista or Windows Server 2008, or rather an exploit for the vulnerability is neutered by the fact that once it has broken in it cannot do anything malicious.

Re:Isolate! (1)

ITJC68 (1370229) | more than 5 years ago | (#28607987)

Another good reason to consider moving to Vista. Everyone slams it but at least this exploit doesn't work on it. I am not sure about Opera. Does it handle Active X differently? If so may have to try it on any XP systems I have.

Re:Isolate! HA! (-1, Troll)

awpoopy (1054584) | more than 5 years ago | (#28608495)

Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE. This is another reason NOT to use Vista.
Where are my mod points?
It seems they got lost about a month or so ago and never came back.

Re:Isolate! HA! (1)

weicco (645927) | more than 5 years ago | (#28608537)

NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE

So I guess you don't use any Operating System then?

Re:Isolate! HA! (2, Funny)

VulpesFoxnik (1493687) | more than 5 years ago | (#28609811)

NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE

So I guess you don't use any Operating System then?

No, He prefers to communicate using God's language, machine code.

Re:Isolate! HA! (1)

weicco (645927) | more than 5 years ago | (#28610291)

It is just that I'm not aware of any Operating System / Browser combination which does not do anything with the kernel. Just plain image download makes heck load of calls to the kernel. Well, maybe there is browser for DOS...

But I'm sorry. I'm just being a jackass and having a bit of fun here :)

Re:Isolate! HA! (3, Insightful)

plague3106 (71849) | more than 5 years ago | (#28608645)

Another reason to not use ActiveX and NOT use an OS that allows executables to do anything with the kernel via an untrusted WEB PAGE.

Um, what? This has nothing to do with the kernel.

This is another reason NOT to use Vista.

How so? Vista is secure from this, its XP thats vunerable.

Where are my mod points?
It seems they got lost about a month or so ago and never came back.

With posts like this, I can see why.

Re:Isolate! HA! (0)

awpoopy (1054584) | more than 5 years ago | (#28609319)

FI (You figure out the acronym)

Um, what? This has nothing to do with the kernel.

Clarification - Maybe not this one, however: Using ActiveX allows system access
Ever heard the phrase "ActiveX kernel mode"?
Some nice examples:
http://www.codeproject.com/KB/COM/ActiveXEXEWrappers.aspx [codeproject.com]
http://blogs.zdnet.com/security/?p=427 [zdnet.com]
http://secunia.com/advisories/35683/ [secunia.com]
Need anymore?
FMSFB (You figure out the acronym)

Re:Isolate! HA! (1)

hairyfeet (841228) | more than 5 years ago | (#28610069)

Not to mention that on most of the boxes I've had to work on the Vista "infection" was a much worse experience than XP with actual malware! What you really have to love with Vista is when it has a "senior moment". Anybody else experience the fun of that one? It is where the OS just stops responding for 5-15 seconds for no fricking reason whatsoever, just long enough to irritate the living hell out of you.

Besides a little common sense makes XP a fast & safe experience. Rule 1- Don't make the user think. Have everything set up automatic-AV/Antispy, autoupdates for the OS and for PDF reader (I give them Foxit) along with ABP to get rid of the ads that seem to be the biggest attack vector more and more, etc. Rule 2- If they are willing to learn (not always the case, which is why you have Rule 1) give them Noscript and set them up as a standard user. Rule 3-This is the most important- Tell them not to be a total dumbass and not to ignore what the AV says! This rule is for the morons that will actually turn off the AV to get at the pr0n, the email attachment with xxx passwords, etc.

With these simple rules I have many customers that run for years without any type of infection. Just a little common sense goes a long way, don't you know. This machine I am typing this on has the same install of Win2K I put on in 2000 to get rid of MSFT's other mistake OS, WinME(EEK!) and it has been running hooked to the net 24/7 all these years without a single bug. Why? Because it is always patched, I don't run IE, I don't surf to dodgy pr0n and warez sites, I don't allow email attachments, and I don't let dumbasses on this machine. If I have someone come over that needs to use the net I have a 733MHz SFF that with DSL Linux makes a damned good Nettop.

But blaming XP for infections is like blaming Ford because you got an STD screwing a hooker in the back seat. As a PC repairman I have found a good 90%+ of the PCs infected became that way because someone went somewhere they KNEW was dodgy, but were willing to take the risk. Can't really blame the OS if some moron downloads and runs a nasty keygen or "xxx_Lesbos_In_Heat.mpg.exe", now can we?

Re:Isolate! (1, Troll)

vertinox (846076) | more than 5 years ago | (#28608045)

These types of vulnerabilities affect all browsers.

Except those which do not run on operating systems that do not have Active X?

Re:Isolate! (0)

Anonymous Coward | more than 5 years ago | (#28608241)

ActiveX is just the plug-in model. In the case of Firefox, Safari, Chrome, Konqueror, etc., the plug-in model would be NPAPI (Netscape Plugin API). But that's an implementation detail that is entirely irrelevant.

Either way, the plug-in is native code loaded into the context of the browser process. That plug-in code interprets external input such as streaming video, Flash content or a PDF. If that plug-in has a vulnerability that can be exploited through malicious content then the browser process as a whole can be exploited. Under Mac and Linux this allows malicious code to run under the security context of the current user with all of the associated privileges.

Re:Isolate! (1)

fulldecent (598482) | more than 5 years ago | (#28609173)

Mod parent down, and read grandparent quote context:

>> These types of vulnerabilities affect all browsers. ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera. It is simply an object model for loading native plug-ins into the process.

Therefore the parent's argument becomes:

>> Except those which do not run on operating systems that do not have Active X OR A NSAPI STYLE PLUG-IN LOADER?

Or more simply:

This type of exploit could only affect browsers other than lynx.

Re:Isolate! (1)

TheRaven64 (641858) | more than 5 years ago | (#28609853)

I browse using WorldWideWeb on my NeXT Cube you insensitive clod!

There is a difference - attack surface (4, Informative)

WD (96061) | more than 5 years ago | (#28608425)

It is true that an ActiveX and NSAPI plug-ins are both native code and can have the same risks. But the big difference is attack surface. Code needs to very explicitly be written as a NSAPI plug-in. However, most Windows components are by default a COM object, and perhaps controlable by Internet Explorer if the developer so chooses (traditionally referred to as an ActiveX control).

So a typical Firefox installation may have a half dozen or so plugins available, and they may have vulnerabilities. But a typical IE installation has literally thousands of COM objects at its disposal (A bare Windows XP installation has over 2500 COM objects). And those objects may have vulnerabilities as well.

So play the numbers. IE's close integration with the OS means that it has a larger attack surface. While isolation and privilege separation is a good idea, the actual reason that Vista and 2008 are unaffected are *not* because of low-rights IE. IE on those platforms treats the ActiveX interaction required by the exploit as "unsafe" and is blocked. (Rather than allowing the exploit to occur but "neutering" it by giving it low rights).

Re:There is a difference - attack surface (2, Informative)

TheRealMindChild (743925) | more than 5 years ago | (#28609331)

An "ActiveX control" is a COM object with a certain group of interfaces... all COM objects are not ActiveX controls.

The vulnerability here comes from, NOT necessarily the oodles of known COM libraries on every Windows system. It isn't REALLY about the fact that you can CreateObject("COMObject.OfMyChoice") on these already known objects... it's all that wrapped together with a COM object that has a .ExecuteMyCode() type method.

Informative? More like "+1, Sounds Kinda Right." (2, Informative)

Anonymous Coward | more than 5 years ago | (#28609555)

Wrong on two counts:

1. Every ActiveX object is a COM object, but not every COM object is an ActiveX object. This is not a pedantic distinction.

2. IE is no more integrated with the OS than Webkit is in KDE: the rendering libraries are considered part of the OS, and the plugin mechanism previously discussed operates there as well.

Please know more about the technology before making unfounded assertions.

Re:There is a difference - attack surface (1)

Malc (1751) | more than 5 years ago | (#28609597)

Not all of those objects are marked safe for scripting and/or safe for initialisation (or implement IObjectSafety), and do you think they're all signed? Thus most of them will not load and run automatically. I'm not being cavalier, but it's not as bad as you're trying to paint it.

Re:There is a difference - attack surface (1)

WD (96061) | more than 5 years ago | (#28610831)

You are correct. My original post was a bit over-simplified. Out of the COM objects that comes with Windows XP, about 350 of them are marked Safe for Scripting, and almost 250 of them are marked Safe for Initialization with a pretty large, but not complete amount of overlap between the two properties. That's still orders of magnitude larger than the plug-in attack surface of a browser like Firefox.

And even the objects that are not Safe for Scripting or Init cannot be discounted. Some objects cause IE to crash in an exploitable manner, triggered just by Internet Explorer checking if the control is safe or not. See:
http://www.kb.cert.org/vuls/id/959049 [cert.org] for more details. There is no analogy of this in the NSAPI world.

Re:There is a difference - attack surface (1)

Malc (1751) | more than 5 years ago | (#28611051)

I go to a web site and it crashes my browser. I go there again and it crashes a second time. Ok, I won't go there. Probably good as the site is either compromised or actively attacking me. Probably better that my browser crashes than shows a web page that allows me to enter my credit card details as part of a purchase. /playing devil's advocate

Re:Isolate! (1)

Alex Belits (437) | more than 5 years ago | (#28610581)

ActiveX in Internet Explorer in this case is really no different than NSAPI in Firefox or Opera.

ActiveX can load remote applications. Its primary purpose is to run someone else's code on your computer.
NSAPI can not do that. It's an internal interface in a library.

Now, shut up, moron.

Re:Isolate! (3, Insightful)

lorenlal (164133) | more than 5 years ago | (#28607295)

You have to take a look at your market to distribute your virus too. Sure, Opera might have more market share in Russia and the Ukraine, but it's still tiny [wikipedia.org] overall.

By attacking IE only, you get 65%, include Firefox, and you're staring at 87% of the browsers in total use. You could target certain countries if you wanted to, but for most malware writers it's pure numbers, and it doesn't matter where they come from. I don't know if Opera is designed/written any better... but I can reasonably assume that it's not being targeted as intensely as IE/FF. I'm not taking my hat off to them until they lock down enough worldwide market share to become worthy of being targeted.

I totally agree that the browser shouldn't be so integrated with the operating system. As a rule, we all know that you don't put yourself out on the public internet... Why have a utility that's part of the OS reach out and grab stuff from there? But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.

Re:Isolate! (1)

sopssa (1498795) | more than 5 years ago | (#28607463)

But don't get me started on virtualization. If we want all the flash and trash we ask for, then virtualization isn't going to deliver it yet... unless you're planning on including all the funny gadgets in a virtual OS. We don't do it already because the products (that I've evaluated) don't do this sort of thing well at all yet.

However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser, and when done good the extra CPU usage and such is just minor. Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too. The improvement here would be greatly better than the tradeoffs, and when you've developing programs for billions of users, you should have more time and technical knowledge to get to those results.

Re:Isolate! (2, Insightful)

lorenlal (164133) | more than 5 years ago | (#28608219)

However, why is this such a problem? Its not so hard to create some level of virtualization for so specific target as a simple webbrowser...

Have you spent a lot of time managing virtual applications? If so, you already know that managing the virtualized application is not trivial. Especially if you have plugins. Adding a plugin (currently) requires reworking the virtual application's package. This has been due to change for years, but I haven't witnessed this in practice yet.

Even when you run stuff like Flash and so on it. Instead of installed all over the OS, Flash and other plugins could be installed on that virtualized and separated space that would be cleaned and restored to original "last good known state" when browser quits. Then there would be another isolated space to save all the temp data, cookies and such which would be even more restricted and hence could be sustained thru different browser sessions too.

Of course, as it stands right now, we have a few browsers that support private browsing. That does prevent much of the data picked up from getting saved. I don't know what it's impact is with malware, but I'd guess it doesn't hurt. Also, what you're suggesting would require a major effort on the part of browser makers. I don't think that the vast majority of users could go and add plugins manually to their virtual browser. I'm not saying that it's impossible thought.

I agree with your original post that it's not necessary to have a "tightly integrated" browser. If it weren't for this integration, you could reduce the need to virtualize in the first place.

Re:Isolate! (0)

Anonymous Coward | more than 5 years ago | (#28607351)

Uh, I'm willing to bet Opera has more than a few vulnerabilities considering how often it crashes.

Re:Isolate! (0)

Anonymous Coward | more than 5 years ago | (#28607361)

The problem is that, by default, a webpage in IE can create an instance of any of the myriad ActiveX controls and COM objects present on your PC. If any one of these has a buffer overflow, you can be hacked.

The fix is simple: use the whitelist feature ("Administrator approved controls") that has been in IE forever. If you do this the vast majority of IE hacks won't affect you. Any admin who still supports IE and doesn't use whitelisting deserves a beating.

Re:Isolate! (1)

Rogerborg (306625) | more than 5 years ago | (#28607437)

Who is it that you imagine would benefit from reporting vulnerabilities in Opera?

Re:Isolate! (2, Funny)

lxs (131946) | more than 5 years ago | (#28607557)

I don't know, but I bet that the Phantom wouldn't like it.

Re:Isolate! (2, Informative)

abigsmurf (919188) | more than 5 years ago | (#28607439)

I'm getting as many virus alerts through Firefox now as I used to get through IE before I switched, most of them seem to be flash and pdf exploits but I've had a few occur that don't appear to be either. Yes you could potentially make Firefox safer with noscript etc. but frankly that makes for an incredibly sucky web experience (and you could turn of scripting, flash and activeX in IE too with similar results). The rise in Firefox targeted (or partially targeted) exploits, in my personal experience, has risen almost in direct proportion to the browser's popularity.

Re:Isolate! (1)

maxume (22995) | more than 5 years ago | (#28608761)

Flashblock will go a long way towards mitigating the flash attacks, and it generally improves the browsing experience (people way into YouTube or such may have to do a little whitelisting).

PDF is a problem, but I actually prefer setting it to launch an external app and turning off javascript mitigates most of the threats there (as does being up to date). Running Foxit or Sumatra should cut off even more attacks.

Re:Isolate! (1)

that IT girl (864406) | more than 5 years ago | (#28610805)

Depends on your browsing habits, too... I run Firefox with Adblock and NoScript, I use avast! antivirus and have Ad-Aware and Spybot on my PC.
I've never had any problems with viruses, and very, very little malware.

Re:Isolate! (1)

that IT girl (864406) | more than 5 years ago | (#28610841)

I should amend that--not malware, only spyware really. Nothing has actually damaged my system or taken sensitive information.

Re:Isolate! (1)

AceofSpades19 (1107875) | more than 5 years ago | (#28610971)

Except the exploits actually get patched in a reasonable timeframe

Re:Isolate! (3, Insightful)

Opportunist (166417) | more than 5 years ago | (#28607455)

Isolation only helps so much. Given that a lot of interesting malware targets (online banking, paypal, amazon, ebay...) are used exactly with the same browsers that would execute the malware, containing it to the browser doesn't really help a lot. You'd have to disallow the browser to make changes to itself. And, while sensible, this would not be very popular with a lot of people who want to "click and install".

Don't use the same browsers then. (1)

TheLink (130905) | more than 5 years ago | (#28609621)

You can create multiple user accounts. With Windows XP you can use Tweak UI to control what accounts show in the default XP login screen.

Then log in as your main (non-admin) user, and use browsers running as the different users for different things. For example, you have different browsers for bank stuff, shopping, normal browsing (google, slashdot etc), and less trusted browsing (which is set to be the "default browser" - what launches when you click on a link in an email etc).

Let the main user have access to the download directories of those browsers and that's pretty much it.

There's a bit of hassle since you'd have to copy files to be able to upload them to facebook/gmail etc, but that's also a feature in terms of security - only the files you want to upload get uploaded (you can delete them after that). Note: on XP if you run main user as userX, and browser as userY, if userX has a network share mounted, userY does not automatically get the same access to it. This might be considered inconvenient, but this is a good thing in terms of security.

It still won't be popular with people who want to click and install, but it's certainly safer.

You could use virtual machines, but do note that running stuff in a virtual machine is safer in some ways it could be more dangerous in other ways - because there have been security flaws with virtualization stuff and some of the virtualization bits would have full system privileges.

More details:
The problem you'll find is firefox is braindead, you can't run multiple instances of firefox in windows with different user accounts. So you'd have to have one firefox instance in a "subaccount", and multiple IE instances using different "subaccounts".

When I tried to get Chrome to run as a different user it just wouldn't work. So no Chrome for me.

Re:Don't use the same browsers then. (1)

mlts (1038732) | more than 5 years ago | (#28610819)

What I have done sometimes is using VirtualPC and a generic XP VM for Web browsing. VirtualPC may not have the advanced features of heavy snapshotting or clustering, but the functionality it has for storing a change log, and dumping all changes immediately when the VM closes is good enough. Add to this running the Web browser under a limited user in the VM, and this narrows down the attack surface quite a bit. Should malware get on the VM, all it will see on the VM's local network segment is the VirtualPC DHCP server and gateway.

VMs do get cumbersome. Another tool that is useful in the XP toolbox is the old dropmyrights.exe. This venerable utility is great for wrapping a Web browser and having it run as a user, or a restricted user with little access to the Registry.

Of course, there is always the Firefox version from thindownload.com which does not touch the Registry in any way, and writes all changes the app does to a directory under the user (including Registry stuff.) However, even virtualized by app software, something running in a context level can always be of some menace. Also, for enterprise environments, the version from thindownload isn't Authenticode signed, which can be very risky.

For the future of Web browsers, OS makers having functionality (IE7/8's sandbox in Vista, BSD jails, RedHat's app profiles) to allow Web browsers to run in a limited context is a good thing. Since essentially, a Web browser is an OS whose job it is to process untrusted and possibly hostile code from the second it starts up to when the user closes all sessions. However, sandboxing the browser this is only one security tool and can't cover all uses. A compromised browser could be safely contained, but malware could be sitting there to grab a perfectly legit download a user gets, and tamper with it so when the user takes it out of the sandbox, it can do its dirty work. Or, when the user does a bank transaction, act as a MITM and when a user does a small transfer, change the values and destination, empty the bank account, and show the user that their transfer was successful (IBM's ZTIC is a way to help protect against this.)

The battle for desktop (and a good chunk of corporate) security has changed from the OS and IP stack front (ping of deaths, teardrops, and other IP stack attacks are long since been addressed, hardware routers are commonplace, and OS makers have made it quite easy to deny incoming packets at the IP layer with a click of a mouse button), to the Web browser, the tasks used for rendering a page, and the plugins it runs. The Web browser can be extremely secure, but all it takes is one broken plugin to be a weak link, and it can be compromised.

Funny but wrong (-1, Redundant)

FranTaylor (164577) | more than 5 years ago | (#28607481)

"Funnily, this issue is exactly the same in Linux "

Funny, but the situation is not like that at all on Linux. On Linux, the browser runs inside SELinux and has ZERO ability to get at any kinds of administrative functionality.

Re:Funny but wrong (1)

sopssa (1498795) | more than 5 years ago | (#28607567)

Did you actually even read the whole sentence or are you making a joke? :)

"Funnily, this issue is exactly the same in Linux and Mac OS too, which their users always seem to forget and go about how malware couldn't get the admin rights. They dont need it."

Also, SELinux is not something standard that comes along every kernel, and even if not via exploits, it would happen via user stupidity, which would be there when masses start using linux on desktop.

Re:Funny but wrong (0)

Anonymous Coward | more than 5 years ago | (#28608759)

Also, SELinux is not something standard that comes along every kernel,

Some people don't trust the NSA with their "security."

Re:Funny but wrong (1)

neomunk (913773) | more than 5 years ago | (#28610061)

Then those people should read the source, or ask/hire someone they DO trust to do it for them.

Re:Funny but wrong (0)

Anonymous Coward | more than 5 years ago | (#28610979)

FWIW, the NSA has nothing to gain by putting in any backdoors in SELinux. In fact, they have everything to lose should their code actually allow an attacker in via some means.

Re:Isolate! (1)

geekprime (969454) | more than 5 years ago | (#28610013)

I'm not saying that MS shouldn't have in the first place but sandboxie does exist and does a pretty good job I think.

http://www.sandboxie.com/ [sandboxie.com]
(I just use it when I have no choice but to use exploder)

Oh well. (3, Funny)

A. B3ttik (1344591) | more than 5 years ago | (#28607051)

affecting IE users on XP

Good thing none of them read Slashdot.

Re:Oh well. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28607101)

Exactly, we all use Vista [goatse.fr] .

Re:Oh well. (1)

Omniscient Lurker (1504701) | more than 5 years ago | (#28607167)

They do at work.

Re:Oh well. (1)

n30na (1525807) | more than 5 years ago | (#28608007)

Your work's IT people arent nice enough to install another browser? D:

Re:Oh well. (1)

CapnStank (1283176) | more than 5 years ago | (#28609257)

Its funny, I'm forced to run XP w/ IE6 at my work. The client I support runs a webpage that blocks FF or other browsers by giving the "Unsupported browser" crap when you try to load the page.

I use FF for all the work that I can do but when I need to access the client home-page I'm S.O.L.

Re:Oh well. (1)

A. B3ttik (1344591) | more than 5 years ago | (#28609367)

Its funny, I'm forced to run XP w/ IE6 at my work. The client I support runs a webpage that blocks FF or other browsers by giving the "Unsupported browser" crap when you try to load the page.

Is this client bankrupt?

Re:Oh well. (1)

n30na (1525807) | more than 5 years ago | (#28609677)

Wow. have you tried using something to change your useragent for that page? It might be coded for IE, but still worth a shot.

Re:Oh well. (2, Informative)

that IT girl (864406) | more than 5 years ago | (#28609957)

Ugh, this is the case for--get this--our HR and payroll website.
iemployee.com
IE only.
Yes, I AM afraid.

Fixes (1)

Wowsers (1151731) | more than 5 years ago | (#28607145)

Luckily Microsoft reports there is a fix for this, Windows 7 is nearly here.

Re:Fixes (2, Informative)

dwieeb (1573153) | more than 5 years ago | (#28607177)

Yeah, but only in Europe will IE not be bundled with Windows 7.

Re:Fixes (0)

Anonymous Coward | more than 5 years ago | (#28607381)

I don't understand the "but" in your sentence. Where does this change the parents statement?

Re:Fixes (1)

dwieeb (1573153) | more than 5 years ago | (#28607627)

He's referring to IE as the problem and Windows 7 as the fix for IE (fix being "removing of"). I was assuming he lives in the UK considering the contents of his latest submissions. The UK is in Europe. Windows 7 will not have IE bundled with it in Europe. It will be bundled in America. I live in America. Hence the "but" in my sentence. I was expressing jealousy.

Re:Fixes (1)

hmar (1203398) | more than 5 years ago | (#28608797)

yes, but this attack only affects the combination of either XP + IE or 2003 + IE, Vista and 7 are immune, regardless of browser.

Re:Fixes (0)

Anonymous Coward | more than 5 years ago | (#28607711)

And Windows Vista, which isn't vulnerable, is used by 25% of the world's population.

Re:Fixes (2, Informative)

mcgrew (92797) | more than 5 years ago | (#28608157)

here [microsoft.com] is the fix and no, it isn't "downgrading to Vista." It disables the vulnerable parts of the OS/IE.

Re:Fixes (0)

Anonymous Coward | more than 5 years ago | (#28610239)

Does anyone else think that Microsoft Fix-It thing is an interface failure.

Two big buttons that say "Fix It", but if you don't look hard enough one of them removes the fix.

This Just In: (0)

Anonymous Coward | more than 5 years ago | (#28607155)

ActiveX has a vulnerability. News at 11.

Re:This Just In: (1)

mcgrew (92797) | more than 5 years ago | (#28608247)

hActive-X is a vulnerability. If you run Windows, you should disable it.

Re:This Just In: (0)

Anonymous Coward | more than 5 years ago | (#28610089)

Unless you want to do a ridiculous number of things, including Windows Update, of course.

Sarah Palin Post (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28607157)

"I think on a national level, your department of law there in the White House would look at some of the things that we've been charged with and automatically throw them out," she said.

There is no "Department of Law" at the White House.

this bitch is retarded [go.com]

Re:Sarah Palin Post (0)

Anonymous Coward | more than 5 years ago | (#28607397)

Being retarded won't preclude her becoming leader of the republican party ... just watch and see.

Re:Sarah Palin Post (0, Offtopic)

ciderVisor (1318765) | more than 5 years ago | (#28607579)

My ex-wife was 'tarded. She's a pilot now.

Re:Sarah Palin Post (0)

Anonymous Coward | more than 5 years ago | (#28608615)

I take it you were the retardent then?

Re:Sarah Palin Post (-1, Offtopic)

megamerican (1073936) | more than 5 years ago | (#28608905)

"I think on a national level, your department of law there in the White House would look at some of the things that we've been charged with and automatically throw them out," she said.

There is no "Department of Law" at the White House.

To be fair, everything must be Orwellian named so we have the Department of Justice, meaning there is none.

At least she knows how many states there are. Obama once said he had visited 57 states (google it). Obama can sound a lot like Bush when not in front of a teleprompter. Of course you wouldn't know that because the TV won't dare make a joke about him. Free and independent press, indeed.

Who cares about Sarah Palin anyway? It must be fun to degrade anyone who doesn't believe everything you do. We must be back in elementary school.

I knew it (0)

Anonymous Coward | more than 5 years ago | (#28607161)

The Italians are at it again, those sneaky bastards. When will they learn that America will mercilessly defend her Freedom against Italian savagery? Down with the Active-Italian-X-axis! Down with Communo-Islamo-Italo-Fascism and its running dogs in the USA!

better workaround (5, Funny)

DanWS6 (1248650) | more than 5 years ago | (#28607299)

Re:better workaround (2, Informative)

L4t3r4lu5 (1216702) | more than 5 years ago | (#28607703)

Supplemental: http://noscript.net/ [noscript.net] and http://www.sandboxie.com/ [sandboxie.com]

Re:better workaround (1)

Fumus (1258966) | more than 5 years ago | (#28609301)

http://www.sandboxie.com/ [sandboxie.com]

Is it really that hard to create new x64 versions of programs with such functions?
I'd love to use it, but I can't as I'm running on Vista 64. So I'm stuck to running a whole VM to act as a sandbox.

Not privately reported (3, Informative)

Anonymous Coward | more than 5 years ago | (#28607359)

Securityfocus [securityfocus.com] has more details, including the secret identity of the 'private reporter'

Re:Not privately reported (2, Interesting)

Otto (17870) | more than 5 years ago | (#28610649)

And exploit code: http://downloads.securityfocus.com/vulnerabilities/exploits/35558.rb [securityfocus.com]

Basically, it's exploiting a buffer overflow in the MSVidCtl ActiveX control. It has it load a malformed GIF which causes a buffer overflow somewhere, which then loads in shellcode.

Not much to it, really. You could make this into a static exploit if you so desired and pop it on any webpage you liked.

Workaround? That's a fix! (1)

Opportunist (166417) | more than 5 years ago | (#28607369)

Considering how much of a security problem ActiveX is, I consider the workaround (i.e. disabling ActiveX) a very good final fix for the problem.

Re:Workaround? That's a fix! (1)

stevied (169) | more than 5 years ago | (#28608563)

I'm pretty sure MS's workaround here only prevents that one ActiveX control being instantiated.

Arguably, the Netscape / Mozilla plug-in API is just as vulnerable, though at least there the user has to do something to install it. It briefly looked like MS were going to be forced to do the same thing due to a patent issue, but sadly that didn't happen:

http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

But... (2, Funny)

goobermaster (1263770) | more than 5 years ago | (#28607593)

But BonziBuddy told me that ActiveX was working perfectly! How can a purple monkey that helps me to remember all my credit card numbers lie???

Hi, I'm a mac (2, Funny)

Em Emalb (452530) | more than 5 years ago | (#28607611)

I have nothing further to say, I just wanna stand here in my black turtle-neck with my cup of coffee looking smug. /typed on my MBP, so simma-down now fan boys... ;-P

Seriously, this exploit sucks. I've gotta patch a butt-load of computers today now. Thanks a lot MS. Anyone know if the MSI file has a silent install option? Or can it be done via GPO?

I just walked in, this smacked me right in the face this am. Damnit.

Re:Hi, I'm a mac (1)

hmar (1203398) | more than 5 years ago | (#28608873)

I thought that that the whole point of a .msi was that it could be rolled through GPO. Well, I'll know for sure by tomorrow morning.

Re:Hi, I'm a mac (2, Informative)

Em Emalb (452530) | more than 5 years ago | (#28609225)

It can. Made the change to our GPOs, and it's rolling out now. Having an issue with terminal server users, the installer is trying to install for every user that accesses the box (as intended, I guess) but none of our users have admin rights so it's bombing out....that's a simple fix though, just exclude any terminal server you might have and patch it manually.

So, to answer my own question, yeah, it's easy to script it.

Simplest workaround (0)

Anonymous Coward | more than 5 years ago | (#28607689)

Dump Windows, install any Linux distribution you like... Look Ma! No more Active-X!

Re:Simplest workaround (1, Funny)

Anonymous Coward | more than 5 years ago | (#28608191)

thousand grateful thanks son! hey, why tax website is not loading anymore?

Hey now, at least they jump on the ball. (1)

BlueKitties (1541613) | more than 5 years ago | (#28607709)

Mac might not have as many problems, but they're a lot slower to muck around to fixing their holes. Not that I'm trying to start a war, just that I think you all ought to be less harsh.

couldn't microsoft (4, Funny)

circletimessquare (444983) | more than 5 years ago | (#28607871)

just warn us when they have found no exploits at all?

meanwhile, we would just assume the default status is that everything is exploitable

it would cut down on the announcements by an order of magnitude

Re:couldn't microsoft (2, Insightful)

VGPowerlord (621254) | more than 5 years ago | (#28607991)

couldn't microsoft just warn us when they have found no exploits at all?

In theory, they already do this on the second Tuesday of every month.

However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...

Re:couldn't microsoft (1)

MadKeithV (102058) | more than 5 years ago | (#28608933)

However... has there ever been a Microsoft patch Tuesday that hasn't had any patches? I'm going to tentatively say "No"...

And even if it happened, wouldn't the safe assumption be that the patch system had a bug or was exploited?

Re:couldn't microsoft (1)

that IT girl (864406) | more than 5 years ago | (#28609623)

This is modded "funny"... it should probably be "insightful" or "informative".
Pity there's no +1 Amen, Brotha.

something else to be wary of (1)

jollyreaper (513215) | more than 5 years ago | (#28607897)

Media Player will try to download codecs for certain wmv files. I stick with VLC and never use wmv's. But someone I know used the wmv and downloaded the codec and got a rootkit instead. I'd not previously heard of this method of attack but it doesn't surprise me a jot.

Re:something else to be wary of (1)

Gadget_Guy (627405) | more than 5 years ago | (#28608897)

Or you can just go into Tools->Options and turn off the automatic downloading of codecs. And according to the help, the user is always prompted before downloading third party codecs.

Hmm... (2, Interesting)

that IT girl (864406) | more than 5 years ago | (#28608175)

Does bring one question to my mind, though. In our office we have been told not to upgrade to IE7, though a few people "accidentally" did anyway. On their machines, even if they use Firefox, the security/Internet settings that IE7 made carry over to Firefox and affect it. One example is a certain java applet we have to access here that wouldn't even work in FF after my coworker upgraded. I had to go in and change settings in IE for it to work in either browser. I didn't upgrade and I'll admit my knowledge is a bit fuzzy in this area, so I haven't really looked into this too much, but... If a vulnerability can use IE to get into the OS, couldn't it do so even if you haven't opened IE yourself?

Re:Hmm... (2, Insightful)

magamiako1 (1026318) | more than 5 years ago | (#28608557)

No. There would have to be some sort of vulnerability existing in the system to launch code, to then launch IE, to then exploit IE.......yeah....you can see the logic in that.

No, if IE is not running or being used, the exploit would not affect the system.

That said, this vulnerability does not affect Vista or Windows 7, or IE7/8 on those systems.

Really--people should upgrade. And furthermore, people should not disable UAC.

Re:Hmm... (1)

that IT girl (864406) | more than 5 years ago | (#28609293)

We are running XP in this office, and as far as I know, will be doing so for at least a few more years. =/
And I sincerely hope they skip Vista and go right to Win7.

Re:Hmm... (0, Offtopic)

that IT girl (864406) | more than 5 years ago | (#28609341)

Oh, and sorry--thanks for the non-troll response :)

Re:Hmm... (1)

stevied (169) | more than 5 years ago | (#28609453)

Usually, anything that uses IE's rendering engine to display untrusted content is also vulnerable. MS's advisory mentions that Outlook Express isn't vulnerable by default in this situation because of the it's use of the zoning stuff, which implies that it, and other apps, might be vulnerable otherwise.

Re:Hmm... (1)

stevied (169) | more than 5 years ago | (#28609571)

If IE and Firefox were both using Sun's JVM (which I imagine they were), perhaps it was the JVM's security settings that got changed? That's my best guess for that one.

Because IE is almost always shipped with Windows, other apps often use its rendering engine to display HTML - they might be also be vulnerable if they use it to display untrusted content. The advisory mentioned the Outlook Express isn't vulnerable in its default configuration because of its use of IE's "zones" feature, but that does rather imply that it, and other apps, might be vulnerable in certain circumstances.

Re:Hmm... (1)

that IT girl (864406) | more than 5 years ago | (#28609869)

Good call. Thanks for the input.

Re:Hmm... (1)

AceofSpades19 (1107875) | more than 5 years ago | (#28611017)

Why do people in your office have admin privileges to the computers there?

Active X... (2, Funny)

TriZz (941893) | more than 5 years ago | (#28608313)

...will soon be added to the Thesaurus as a synonym of "Vulnerability".

Sometimes I wonder... (2, Insightful)

DarKnyht (671407) | more than 5 years ago | (#28609091)

It makes me wonder why any financial institution would still design their websites to require Internet Explorer and/or Active X. Seems sort of like putting up guide rails at a bowling alley and then expecting everyone to bowl gutter balls.

Time distortion (1)

HomelessInLaJolla (1026842) | more than 5 years ago | (#28610331)

When the media release admonishes that malicious attackers have been exploiting a flaw for nearly a week the real indication is that the core of the obfuscated code community has been exploiting it for far longer--probably since the day the vulnerable snippet of code was introduced. I will not tarry to read the full article and look at all of the related references but the summary indicates ActiveX on XP or server '03. Unless this is a relatively new addition to the AX library of functions you can rest assured that the vulnerability has been exploited since the day the software was shipped.

When you install an OS such as Debian, or LFS, or Ubuntu, or Slack, or RH, or Mandrake, or any of the BSD flavors, you become familiar with the concept of dependencies--either to compile from source or to install a package. Vulnerabilities are no different. Vulnerabilities have dependencies and, once all of the requisite dependencies are in place, then the vulnerability is available. Just as the installer of a source compilation or a package knows exactly when the dependencies are fulfilled and the program is available so too do the core researchers know almost immediately when the dependencies for a vulnerability have been fulfilled. Oftentimes those who have been writing and maintaining apps for a particular kernel and core set of libraries may even see the possibility for an exploit within their program but think to themselves,"Yeah, that portion could be exploited, but this-and-that-and-these aren't available and an attacker would need to figure out a way to inject executable bytecode into the stack using this hole, if they could get to it, and to do that they would need to know the user's particular kernel and libc, possibly shell and memory configuration, and they can't get that info through this opening." Then, two or three months later, some enormous library conglomerate, possibly within the environmental (gnome/qt/kde/etc) infrastructure becomes available, and _bing_, all of the dependencies to make the vulnerability a viable vector for exploit have been fulfilled.

This has long been the dichotomy between making an OS usable for the general population and maintaining it in a secure fashion. This is why I have always chosen X window managers which have been relatively bare bones (ude/blackbox/e16) and tried to minimize GUI dependency and remain at the shell/CLI interface. Automation and full integration within the OS is good for the general users but it also quickly fills all of the spaces between the lines of security; fulfilling and satisfying all of the dependencies for vulnerabilities. This was my major admonishment even as early as Win95--though at the time I was (and still largely am) ridiculed by those who want to have the features of computer use and appear computer knowledgeable but also want the ease of an OS that demands very little effort of learning from them.

All of that is relatively superficial, obviously, when you take those considerations to full completion. The exact same principle applied ten or twenty years ago. The exploitable software of ten or twenty years ago became solidified and standardized and those functions have now been made to be performed at the hardware level in the bridge chips and bus controllers. Those hackers (and crackers) who were the laser eyed math and logic geeks playing kernel/core wars ten and twenty years ago still know where those exploitable pathways are and, if they can (and believe me, they definitely can) find a way to executable memory from an exploitable codec or your web browser, they can own your exectuable memory space. They don't own it to bring your system down or to make it unusable, they own it to feed vast databases of information. Information is profiled, stored, categorized, and indexed in much the same way as the "warrantless" wiretapping we heard about several years ago. The government does not put active agents on every line: they screen the line through voice recognition systems which listen for key words and phrases. The technology to screen a telephone system large enough to serve a mid-sized town (50k-100k people) with hardware speed has existed since at least '95. It is now '09. Don't think it isn't happening. It would be monumentally naive to approach life as if it were not the truth.

To me all of this is relatively inconsequential. I have been homeless for three years and have not managed my own computer systems for nearly as long (for a short period I did have a laptop while homeless but that hardly counted).

Read the book of Genesis from about chapter forty to the end. Joseph exploited all of Egypt into indenture and slavery for nothing more than a clean piece of bread. Your technological and financial masters are exploiting you into slavery for nothing more than the codecs to view pr0n and the browser to check your e-mail. It would be monumentally naive to think that a six thousand year old exploit isn't being used today.

Ask yourself a very simple question: if you knew of a foolproof way to collect periodic rent from the entire population around you, such that you needed to do nothing more than stand up and give a speech every now and again and, in return, you would have the wealthiest lifestyle you can imagine--wouldn't you use it? Most people try to play the moral high road and say that they wouldn't but, here's the caveat, go spend five years in utter and complete destitute servitude, then get f*cked over by your owner's wife, spend a few years in jail over a lie, and then happen across an opportunity to get back to the top practically overnight. That is what Joseph, son of Israel, went through. Believe me, after spending time in utter and complete impoverished destitution, your point of view on what you will or won't do changes significantly.

That is why Jesus Christ taught complete forgiveness. Joseph was never able to forgive his brothers for selling him into slavery, never able to forgive his master's wife for sending him to jail with her prideful lies, and he leapt at the chance to "get back" at the whole world. His system of slavery, of exploiting people through their conditioned and deliberately created dependencies, now encompasses nearly the entire world.

The world of computing is no different.

On the plus side (1)

ThatsNotPudding (1045640) | more than 5 years ago | (#28610669)

"It's Better with Windows" /snark

actual fix (1)

prozaker (1261190) | more than 5 years ago | (#28610673)

The fix installs firefox :o
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>