Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Attack Fells Internet Explorer

Soulskill posted more than 4 years ago | from the tricking-an-old-dog dept.

Internet Explorer 202

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

cancel ×

202 comments

Sorry! There are no comments related to the filter you selected.

Virus warning (1, Interesting)

dennis_k85 (828582) | more than 4 years ago | (#30193670)

As soon as I go to the bug trak web site , my anti virus scanner goes off like crazy.

Re:Virus warning (3, Insightful)

clang_jangle (975789) | more than 4 years ago | (#30193776)

As soon as I go to the bug trak web site , my snake oil scamware goes off like crazy.

FTFY.

Re:Virus warning (0)

Anonymous Coward | more than 4 years ago | (#30193988)

Avast AV is detecting the page for me too. It seems more likely that it is detecting there being pieces of viral code on the page rather than the it actually being infected with a virus due to the nature of the site, however.

Re:Virus warning (1)

dennis_k85 (828582) | more than 4 years ago | (#30194226)

I'm using avast AV too. It just says there is malware on the page. Wierd.

Re:Virus warning (0)

Anonymous Coward | more than 4 years ago | (#30193996)

That should tell you something about your virus scanner...

Re:Virus warning (-1, Redundant)

mister_playboy (1474163) | more than 4 years ago | (#30194918)

I have no virus scanner, as I use Linux. :)

Is that supposed to be news?? (4, Insightful)

rpp3po (641313) | more than 4 years ago | (#30193682)

Yes, old, unpatched browser versions can be exploited. Is this a joke?

Re:Is that supposed to be news?? (4, Insightful)

UnknowingFool (672806) | more than 4 years ago | (#30193784)

old != unpatched.

The article says IE 6 and IE7. It does not say unpatched. For many people these are their current browsers as they have not upgraded to IE 8. For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

Re:Is that supposed to be news?? (0, Flamebait)

commodore64_love (1445365) | more than 4 years ago | (#30194276)

I just upgraded from 6 to 7 around two months ago.

I guess it's time to hop to 8. I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.

Re:Is that supposed to be news?? (0, Flamebait)

PitaBred (632671) | more than 4 years ago | (#30194348)

Yeah. A Model-T should be enough for anyone. These new "fuel injectors" instead of carburetors... just because they're more efficient and work more reliably doesn't mean we actually need those! Why would I want to update my technology to get new features? Gopher was enough for a long time! Why change?

/me gets off your lawn

Re:Is that supposed to be news?? (1, Informative)

commodore64_love (1445365) | more than 4 years ago | (#30194988)

I said a *few* years..... as in more than one. Not 90.

Re:Is that supposed to be news?? (1, Funny)

Anonymous Coward | more than 4 years ago | (#30195468)

You may have noticed that things change a bit faster in the internet. IE 6 _is_ model T.

Re:Is that supposed to be news?? (1, Funny)

Anonymous Coward | more than 4 years ago | (#30194478)

Are you the type that enjoys hitting yourself in the head with a hammer because it feels so good when you stop?

Installing and upgrading Firefox is simple and painless.

Re:Is that supposed to be news?? (1)

rliden (1473185) | more than 4 years ago | (#30194612)

Here is the lemma to your myopic car analogy: Replace the brakes, belts, and other wearables. Service your engine and transmission at required intervals. When a warranty recall for a defective part is issued bring the vehicle to dealer to have it replaced. If you don't do these things and service your vehicle, it will break down and leave you vulnerable to the consequences. Yeah I know - maintaining your vehicle keeps mechanics employed.

Re:Is that supposed to be news?? (1, Offtopic)

commodore64_love (1445365) | more than 4 years ago | (#30195008)

Maintenance?

What's that? J/K. That maintenance I can deal with but the annual inspections just so garages can look for something to repair really piss me off. I miss my old state that had no inspections (at point-of-sale and that was it).

Re:Is that supposed to be news?? (2, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#30195042)

With an atitude like that, you are a nuisance to everyone else on the road.

Re:Is that supposed to be news?? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30194676)

I'm tired of constantly upgradng everything

Then I hope you never run Ubuntu. They bug you with almost daily updates. In XP I can conveniently set the schedule to install updates at 2am when I am asleep and my internet is uncapped at night. With Ubuntu I have no way of doing that. Oh well, cant expect professional polished software for free.

Re:Is that supposed to be news?? (1)

mister_playboy (1474163) | more than 4 years ago | (#30194936)

Liar.

Re:Is that supposed to be news?? (1)

Shetan (20885) | more than 4 years ago | (#30195628)

With Ubuntu I have no way of doing that.

They took cron out of Ubuntu? That seems silly.

Wait a minute! (1, Funny)

Anonymous Coward | more than 4 years ago | (#30194992)

You upgraded the stable IE6 to BETA IE8?...(I mean IE7).

Re:Is that supposed to be news?? (3, Interesting)

MillionthMonkey (240664) | more than 4 years ago | (#30195014)

I'm tired of constantly upgradng everything. I drive an old car built in 1997, and I don't understand why I can't keep running the same browser at least a few years. Yeah I know - constant updating keeps programmers employed.

Drat, improving technology keeps programmers employed.
Double drat- your reluctance to update combined with a propensity to complain keeps additional people employed just to make sure things continue to look pretty on your screen.

Re:Is that supposed to be news?? (0)

cenc (1310167) | more than 4 years ago | (#30194646)

You know i keep hearing people say that companies have to keep these browsers because of some software that they can not upgrade, as an excuse for the continued use of 6 and 7. What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?

Who ever they are, they have bigger IT problems than this exploit will ever generate.

Re:Is that supposed to be news?? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30194788)

There are niche areas of IT, which you've obviously not worked in, where some vendors have a web interface driven piece of equipment and they are VERY slow to update said interface to work with current browsers. Unless things have change in the last 6 months or so, IE7 support was just coming out for that equipment. So you can see how long it will be before 8 is supported. I will not name that niche or the company that supplies equipment to it, but suffice to say that every cities has at least a couple of these places...

Re:Is that supposed to be news?? (1, Informative)

Anonymous Coward | more than 4 years ago | (#30194922)

The US Air Force only released IE7 to its non-classified desktops earlier this year. Widespread Vista deployment has been pushed from early 2008 to mid-2010 (and that's just the current "best-case" estimate, I expect more delays). IE is necessary for logging into many, many DoD websites using the Common Access Card [wikipedia.org] .

Re:Is that supposed to be news?? (2, Informative)

MillionthMonkey (240664) | more than 4 years ago | (#30195088)

What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
Who ever they are, they have bigger IT problems than this exploit will ever generate.

A lot of people- you'd be surprised. Earlier this year I worked for a place where at least a third of their customers (from academic departments, mostly) were still using IE6 and various IE5 versions.

Re:Is that supposed to be news?? (0)

Anonymous Coward | more than 4 years ago | (#30195258)

Isn't IE5, like, you know, very old?

But, one of my excuses for sticking with IE6 (and my reason for posting anonymously), is that I can't go past IE6 with Windows XP Pro SP1. And no, I will not install SP2, since it breaks programs.

Re:Is that supposed to be news?? (2, Informative)

RobertM1968 (951074) | more than 4 years ago | (#30195216)

old != unpatched.

For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.

Re:Is that supposed to be news?? (2, Insightful)

thetoadwarrior (1268702) | more than 4 years ago | (#30193788)

It mentioned versions 6 & 7. Considering how long people hold onto their verison of IE, it will be ages until IE7 disappears. Also, MS does have some contracts with companies that means they're stuck on Win 2k for now which means nothing greater than IE6. Granted these companies could use FF but understandably they're paying for support from MS and want to use a browser they will support.

If MS is going to be taking money for something like this then they should still be supporting IE6 and patching up its holes.

Re:Is that supposed to be news?? (3, Insightful)

DarkOx (621550) | more than 4 years ago | (#30193888)

Considering how long people hold onto their version of IE, it will be ages until IE7 disappears.

I really don't think you are right about that. There will always be those home users on dialup that don't run automatic updates ever but they are not very useful in a bot net anyway. Most people will get update to IE8 weather they mean to do it or not. IE 6 lives in the corporate space because it was around long enough for its own software ecosystem to develop in and on it. IE7 was around for like a year before 8 was released as beta and 8 does not break much compatibility with 7 its much less significant than 6 -> 7.

I doubt there is much code out there target at 7 that does not work on 8. The projects that do would have to have been pretty small and would have been designed and completed in a pretty narrow time window between 7's release and the pretty clear public information on what was coming in 8.

Re:Is that supposed to be news?? (1)

Zero__Kelvin (151819) | more than 4 years ago | (#30194472)

"Most people will get update to IE8 weather they mean to do it or not."

You don't need a weather man to know which way the Windows blows ...

Re:Is that supposed to be news?? (1)

Ralish (775196) | more than 4 years ago | (#30195334)

FYI: Microsoft commits to support the version of IE that ships with "x" Windows release for as long as "x" Windows release is supported. For example, IE 6 was shipped with Windows XP and so will be supported until Windows XP ceases to be. What this means is IE 6 is guaranteed to at the very least receive security fixes and limited bugfixes until sometime in 2014 when Windows XP leaves support. Similarly, IE 7 was shipped with Vista and will be supported until Vista ceases to be; contrary to what others may say, this is likely to be a very long time, I'd wager a minimum of 1 decade from RTM.

That being said, XP users using IE 7 have upgraded to it either consciously or via Automatic Updates and Vista users I suspect are far more likely to have Automatic Updates enabled as the OS has the functionality baked-in from RTM and aggressively encourages the user to enable it. So, while it may be supported for a long time, its userbase may shrink rapidly in contrast to the glacial decline of IE 6.

Re:Is that supposed to be news?? (4, Insightful)

caluml (551744) | more than 4 years ago | (#30194262)

I work for a very large bank, and IE 6 is the corporate standard. The banking platform is only designed to work with IE6. Some of the internal admin tools don't work with IE8.

Re:Is that supposed to be news?? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30194424)

That's because there are a bunch of goddamn Jews running them banks. Jews are so stingy that they don't want to use the increased storage space for the free IE upgrade.

Nobody wants, nobody likes - kikes, kikes, kikes.

Re:Is that supposed to be news?? (4, Interesting)

lord_rob the only on (859100) | more than 4 years ago | (#30194604)

Using SAP by any chance ?

In my former company, they use SAP and it's absolutely an IE only application for its web interface. It doesn't work *at all* with Firefox. At least that was the case when I was working there (We were using SAP ECC6)

Oh good Lord *facepalm* (5, Funny)

David Gerard (12369) | more than 4 years ago | (#30193688)

Microsoft Windows has once again trounced all comers in security, with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets. Malware rose 15% just from August to September this year.

Windows users continued to be stupidly complacent Typhoid Marys, telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0% for the fifteenth year in a row, and pumping out gigabytes of spam and denial-of-service attacks from their thoroughly 0wn3d computing cesspits.

“The truth is out,” said Steve Ballmer, taking care not to wash his hands [today.com] when preparing the food for his Windows 7 House Party. “Mac and Linux users are just too pussy for viruses. Gotta keep your immune system up! What are you, some sort of faggot? Too artsy or nerdy for MANLY food?”

The time on the digital clock behind him changed at random as he foamed slightly at the mouth. “Windows — we’re NUMBER ONE! And here you were saying Windows was a load of ‘number two.’”

Re:Oh good Lord *facepalm* (0, Redundant)

commodore64_love (1445365) | more than 4 years ago | (#30194304)

>>>with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets.
>>>telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0%
>>>

Please provide proof or retract. Thanks.

Re:Oh good Lord *facepalm* (4, Funny)

ColdWetDog (752185) | more than 4 years ago | (#30194482)

*** ALERT ****

Humor Process Failure

(A)bort, (R)etry, (F)lail

Re:Oh good Lord *facepalm* (1, Funny)

Anonymous Coward | more than 4 years ago | (#30194836)

(F)lail. wait, flail?

U.S. Government (1)

WED Fan (911325) | more than 4 years ago | (#30194428)

This is a huge problem. Many U.S. Government agencies have yet to move off of IE6. Especially the military. Mostly due to IT management contracts that require the gov't to pay for every little upgrade action. For a simple upgrade, one agency gets tagged per profile per month by the company that runs their IT. That same company has a policy of being 2 versions behind current. Meaning, it is actual policy to be running IE6, Office 2003, and XP/Server 2003. The approval process is so overtaken with red tape and time that most give up trying to get upgrades. One agency just recently removed NETSCAPE from their builds. NETSCAPE!

All it takes is a hostile government to set up a few magnet sites, get banner ads deployed, and bam, your U.S. Government has rampant infections. Is it any wonder we read, from time to time, about gov't employees being prohibited from going to certain sites?

Re:Oh good Lord *facepalm* (1, Informative)

Blakey Rat (99501) | more than 4 years ago | (#30194656)

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

Re:Oh good Lord *facepalm* (1)

MillionthMonkey (240664) | more than 4 years ago | (#30195138)

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS.

That may be a true description of this problem as it currently stands- but it stems from what Microsoft screwed up in the past.

Re:Oh good Lord *facepalm* (1)

Blakey Rat (99501) | more than 4 years ago | (#30195228)

Well, they don't have a time machine, so you'll just have to cope with that somehow.

Re:Oh good Lord *facepalm* (1)

MillionthMonkey (240664) | more than 4 years ago | (#30195332)

I don't have a dog in this fight. I'm just calling 'em as I see 'em, like Sarah Palin.

Re:Oh good Lord *facepalm* (1, Funny)

Anonymous Coward | more than 4 years ago | (#30195622)

I don't have a dog in this fight. I'm just calling 'em as I see 'em, like Sarah Palin.

And you were doing so well before that comment.

MSIE version 8 is not known, according to TFA. (2, Interesting)

jbn-o (555068) | more than 4 years ago | (#30195400)

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

Some users, like office workers, are not in control of the computers they use and cannot switch away from what they were given. Sometimes they were set up with particular versions of software to suit other programs. The "Banner" system some universities use, for instance, requires MSIE7 and a particular old version of Sun's Java runtime. Certain sections of Banner don't work properly with non-MSIE browsers like Firefox. I understand this is an extremely costly system and switching away is considerably complicated. I'm not endorsing these choices or claiming any of these choices is wise, but it is there.

The article also says the status of MSIE8 is not mentioned by the researchers [networkworld.com] : "Neither company [Symantec and Vupen] was able to confirm that the attack worked on Microsoft's latest browser, IE 8.". What part of what article were you referring to?

Re:Oh good Lord *facepalm* (0, Redundant)

commodore64_love (1445365) | more than 4 years ago | (#30195084)

>>>59% of all Windows machines on the Internet being infected with malware and under the control of botnets.
>>>Windows:Mac:Linux virus proportions at approximately 100%:0%:0%
>>>

Please provide proof or retract. Thanks.

Versions 6 & 7 (2, Informative)

Travis Mansbridge (830557) | more than 4 years ago | (#30193702)

Specifically versions 6 & 7, says the article.

Re:Versions 6 & 7 (2, Funny)

Sulphur (1548251) | more than 4 years ago | (#30194818)

So if I am using dos and Windows 3.11, I should be safe. Right.

Windows 3.11 (1)

MillionthMonkey (240664) | more than 4 years ago | (#30195156)

I think most worms these days will check the version and refuse to run until you provide an update for them to infect.

Summary needs clarification (5, Funny)

Anonymous Coward | more than 4 years ago | (#30193704)

"According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

So, are they referring to IE or the attack code?

Re:Summary needs clarification (4, Funny)

click2005 (921437) | more than 4 years ago | (#30194338)

No, they're referring to Symantec's code :)

CSS Behvaiors? (2, Informative)

DontLickJesus (1141027) | more than 4 years ago | (#30193728)

If I'm interpreting this correctly, it would appear to be a buffer overflow attack against the "style" element. Seeing that IE6-7 are the only current browsers that handle CSS behaviors (basically javascript in CSS) I'm going to make an educated guess and say it stems from the validation (and execution of) Javascript in CSS.

Nope (1)

WD (96061) | more than 4 years ago | (#30195130)

Not quite. There's no JavaScript in the CSS, nor is there a buffer overflow.

In other news... (0)

Anonymous Coward | more than 4 years ago | (#30193736)

Slackware 3.0, Redhat 2 and OSX 10.1 all still have exploits.

Re:In other news... (4, Insightful)

koiransuklaa (1502579) | more than 4 years ago | (#30194064)

What does that have to do with anything? Fully patched IE 6 and IE 7 are _supported_ products, the ones you list are not.

Not aware of a patch? (1, Interesting)

kjart (941720) | more than 4 years ago | (#30193762)

Affected Products

Microsoft Internet Explorer 7
Microsoft Internet Explorer 6

Solution

Disable Active Scripting in the Internet and Local intranet security zones.

VUPEN Security is not aware of any vendor-supplied patch.

I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

Re:Not aware of a patch? (1)

Mystra_x64 (1108487) | more than 4 years ago | (#30193884)

They do. Users do not however. Well, at least many just don't care.

Re:Not aware of a patch? (2, Informative)

tepples (727027) | more than 4 years ago | (#30193900)

VUPEN Security is not aware of any vendor-supplied patch.

I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.

Re:Not aware of a patch? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30193910)

IE 8 is not a patch since it requires reading a new EULA. I'll stick with the version that does less spying thank you.

Re:Not aware of a patch? (0)

Anonymous Coward | more than 4 years ago | (#30195134)

So IE8, then? Dickwad.

Re:Not aware of a patch? (1)

supersloshy (1273442) | more than 4 years ago | (#30193924)

They said that it affects old versions of internet explorer.

Re:Not aware of a patch? (1)

mpe (36238) | more than 4 years ago | (#30194248)

I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

There are plenty of web apps (especially in the "Enterprise" environment) which depend of quirks of specific browsers. Most commonly IE6. Using a different browser means making major changes. At which point it probably dosn't matter if the change were to be to Firefox, Opera, Safari, etc. Indeed there are versions of Windows which won't run IE8, but will run modern non Microsoft browsers.
Indeed if things are web based then without a requirement for IE something akin to "Google OS" might make rather more sense than Windows. Especially if the result is small enough to be reasonably started by PXE.

Re:Not aware of a patch? (1)

funkatron (912521) | more than 4 years ago | (#30194346)

So what you're saying is that people still run a crap browser because they need it to use badly written software. Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.

Re:Not aware of a patch? (0)

Anonymous Coward | more than 4 years ago | (#30194538)

Nah. The main reason is that for some enterprise tasks, web apps are simply more convenient. You can link to them from an intranet web page, cross link them, push updates by replacing files on the server side, etc. Active X on IE 6 got the job done, so some people used that.

Re:Not aware of a patch? (3, Insightful)

0123456 (636235) | more than 4 years ago | (#30194948)

Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.

You haven't been in IT long, have you?

Firefox (0, Redundant)

1s44c (552956) | more than 4 years ago | (#30193816)

The only people still using internet exploder are people who don't care about security. They have ignored more than enough warnings and deserve what they get.

The rest of the world is already using firefox, opera, or whatever the OS X browser is called.

Re:Firefox (1)

Inschato (1350323) | more than 4 years ago | (#30194292)

Safari

Re:Firefox (2, Insightful)

Tim C (15259) | more than 4 years ago | (#30194300)

The only people still using internet exploder are people who don't care about security.

Or perhaps they just don't know about that sort of thing, and expect their computer to just work, just as their TV, fridge, microwave, phone, etc all just work?

or whatever the OS X browser is called

First you lambaste people for not knowing enough about IE and its alternatives, then you admit to not knowing enough about Safari. Beautiful.

Re:Firefox (1)

CastrTroy (595695) | more than 4 years ago | (#30194800)

Or perhaps they just don't know about that sort of thing

They don't know because they don't care. A computer is a lot more complicated than a TV, fridge, microwave or phone. If you want to compare it in complexity to another thing that many people own, the only thing comparible would be a car. People know that cars require maintenance to keep them running well. Computers are no different in this respect.

Re:Firefox (0)

Anonymous Coward | more than 4 years ago | (#30194310)

The only people still using internet exploder are people who don't care about security.

Not true. we're using IE7 at my company because of some boneheaded decisions way back when that tied online applications to the browser version. That is, they used browser specific HTML that doesn't work correctly with IE8.

Re:Firefox (0)

Anonymous Coward | more than 4 years ago | (#30195388)

The only people still using internet exploder are people who don't care about security. They have ignored more than enough warnings and deserve what they get.

The rest of the world is already using firefox, opera, or whatever the OS X browser is called.

I care about security, and I think you would be hard pressed to document that Firefox is more secure than IE8 in protected mode (sandboxed, reduced user privileges). Yes you can find reported vulnerabilities in IE8, but most security companies announce far more for Firefox these days. Including pretty severe ones like we discussed here a couple of days ago: http://it.slashdot.org/story/09/11/20/1257232/Zero-Day-Vulnerabilities-In-Firefox-Extensions [slashdot.org]

"Firefox most vulnerable browser, Safari close second": http://www.net-security.org/secworld.php?id=8489 [net-security.org] . Secunia is saying pretty much the same thing.

A great reason to choose Firefox (4, Informative)

simsodep (1683906) | more than 4 years ago | (#30193840)

There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep [sodepabc.com] using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.

Re:A great reason to choose Firefox (2)

jbacon (1327727) | more than 4 years ago | (#30194118)

It sounds like the root flaw actually lies in your own login implementation. I guarantee that IE is capable of handling sessions. If you have a website that makes you money, you should realize a couple points: First, most of your userbase runs IE. Having the site unusable in said browser is very bad. Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it.

Re:A great reason to choose Firefox (3, Interesting)

Zero__Kelvin (151819) | more than 4 years ago | (#30194536)

"It sounds like the root flaw actually lies in your own login implementation."

"Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it."

It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.

Re:A great reason to choose Firefox (0)

Anonymous Coward | more than 4 years ago | (#30194652)

Yeah, they'd get the message that YOU are a DICK and they're glad to not do business with you because there is somebody nice around to hold their hand and whisper sweet nothing in their ears.

Or something like that.

Tough love doesn't work when somebody else benefits from undercutting you.

And no, it won't change.

LOL (1)

MillionthMonkey (240664) | more than 4 years ago | (#30195298)

...a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.

It sounds like a repetitive Ayn Rand novel with all the intellectual web designers going on a new strike every time less buggy browser versions come out.

Re:LOL (1)

Zero__Kelvin (151819) | more than 4 years ago | (#30195506)

"It sounds like a repetitive Ayn Rand novel with all the intellectual web designers going on a new strike every time less buggy browser versions come out.

That's probably because you mistakenly think that IE not being standards compliant, and Windows in general turning your computer system into a petri disk are the result of bugs rather than an intentional part of the design. One would be foolish to claim that Microsoft doesn't intentionally make their software products non-compliant. If you pay attention and study your M$ history well, the fact that the virus propogation is by design as well becomes readily apparent.

Re:A great reason to choose Firefox (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#30195344)

It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run

Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy....

Re:A great reason to choose Firefox (1)

Zero__Kelvin (151819) | more than 4 years ago | (#30195558)

"Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy...."

I was unaware that huge corporations don't have a choice when it comes to web browsers!

The users that are doing legitimate business will file a ticket against the issue. I have a feeling that when IT gets thousands of tickets a day, all complaining that they were incompetent morons who decided on a non-standards compliant piece of garbage as their companies browser, the people that management brings in to replace those IT "professionals" will certainly make the switch to something compliant and secure.

Re:A great reason to choose Firefox (1)

tokul (682258) | more than 4 years ago | (#30194634)

There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.

So you use some complex login tracking setup and can't trace why IE is failing. Looks like your setup issue and not something specific to some browser. Mind sharing how you break simple session cookie or id tracking to the point that you can't understand why some browser fails?

What the world needs (4, Interesting)

hey! (33014) | more than 4 years ago | (#30193886)

is a definitive software engineering treatise on the history of IE security exploits.

It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?

Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.

Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?

Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?

These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.

Re:What the world needs (2, Interesting)

DoofusOfDeath (636671) | more than 4 years ago | (#30193982)

is a definitive software engineering treatise on the history of IE security exploits.

Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)

Re:What the world needs (1)

ColdWetDog (752185) | more than 4 years ago | (#30194524)

Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)

I was thinking more along the line of the Nuremberg Trials.

Re:What the world needs (1)

Zero__Kelvin (151819) | more than 4 years ago | (#30194556)

"Did clumsy code-reuse and maintenance play a significant role? "

I don't know. Let's just go grab the code and take a loo .... oh, wait. Never mind.

Google strikes back (2, Funny)

sagematt (1251956) | more than 4 years ago | (#30194208)

Which butthurt Google Chrome Frame developer found out about this?

Use this to Install IE8 (0)

Anonymous Coward | more than 4 years ago | (#30194238)

Someone should write some code to use this vulnerability to install and run the IE8 update program.

Re:Use this to Install IE8 (1)

JustOK (667959) | more than 4 years ago | (#30194298)

that's just mean.

Re:Use this to Install IE8 (1)

Tim C (15259) | more than 4 years ago | (#30194370)

In the UK that would fall foul of the Computer Misuse Act; other countries have similar laws.

It's also a really, really stupid idea, only marginally less anti-social than writing traditional malware.

Re:Use this to Install IE8 (1)

Thinboy00 (1190815) | more than 4 years ago | (#30195182)

Someone should write some code to use this vulnerability to install and run the IE8 update program.

A real white hat would go the whole hog and install Firefox.

Hypocrits! (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30194494)

So, isn't the responsible thing to do to notify Microsoft, and given them adequate time to produce a patch?

By posting the exploit to a public list, this guy is basically handing the bad guys a weapon. That's criminal. But because it's a Microsoft product, the Slashdot folks just eat that up -- Hey, fuck'em, they're running Wind0ze!!!111

Re:Hypocrits! (0)

Anonymous Coward | more than 4 years ago | (#30195688)

What? The man who exposes an existing problem is now the criminal?

Microsoft is the criminal for putting code on your computer which is capable of deleting your hard drive / downloading kiddie porn / etc.. Internet Explorer, as a computer program, works exactly how it's coded. Every single security hole is the result of a programmer writing some (hopefully accidentally) naughty code.

I keep hearing this notion that computer security is like physical security, that how much security you get is a function purely of how much you pay. It's really the opposite: in the physical world no matter how strong a wall you raise, an attacker with enough money can build a weapon strong enough to penetrate it. The attacker can always win by applying more money/strength. In a computer, the computer never does anything it wasn't told to do as part of its software. If the computer won't listen to instructions from strange websites telling it to install pieces of software, then there's nothing an attacker can do. The defender has a natural advantage.

Once a vulnerability is found it is, of course, polite to inform the vendor and let them know, but it is in no way the responsibility of the attacker or researcher to do so. Since you felt Microsoft is being unfairly singled out, I should mention that there's a good reason: Microsoft has stopped considering vulnerability reports in their software. They accept them, acknowledge them, ask the finders to keep them secret (usually by claiming that they're working on the fix right this moment), but ultimately they don't fix them until one shows up in the wild. To Microsoft, a known but not yet exploited bug is considered zero-priority since they have so many bugs which are being actively exploited. Because of this policy, early notification to Microsoft is useless.

Really? (0, Offtopic)

Murdoch5 (1563847) | more than 4 years ago | (#30194570)

Oh no I better check my version of IE, Wait I run Linux. firefox is still okay.

Re:Really? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30194674)

Presumably you run it with no extensions, then?

Re:Really? (1)

Thinboy00 (1190815) | more than 4 years ago | (#30195190)

Presumably you run it with no extensions, then?

No, it's much more secure with NoScript.

MS could have found+fixed it (1)

obarthelemy (160321) | more than 4 years ago | (#30194758)

but all their code security auditors were working on the Chrome plugin :-p^

yuo F4il it (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30194808)

Re:yuo F4il it (1)

Thinboy00 (1190815) | more than 4 years ago | (#30195200)

Wrong URL.

So this means it's just like IE? (1)

DJRumpy (1345787) | more than 4 years ago | (#30195620)

"According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

Does this mean it's on a level playing field with old versions of IE? It does not always work properly, and can install unauthroized software on a victim's computer?

my take on this (0)

Anonymous Coward | more than 4 years ago | (#30195690)

This is my first comment on slashdot, and I'm quite annoyed by "windows" security is bad.
Each sw has problems, and will continue to have problems.
IMHO, you can measure security by one aspect only today: response time.
One could argue that the pure number of problems is also relevant, but this numbers are irrelevant as one vendor would not disclose all problems, where another one may disclose all. Also priorities may differ (critical bug for one company may not be so big to another). So in the end you would end up with relatively higher number of problems for the other vendor, but if they take 5 days to fix the issue, where the first one takes 15 days, I'd pick the one with faster response time any time.

So, we would probably see how long will it take for Microsoft to fix the issue.
But for me, one of the HUGE problems with patching is that each time you install something (on Tuesday:)) you have to reboot your PC (I can remember only few occasions where I did not have to reboot), where for instance you would reboot Linux only if kernel is updated (at least in my experience).
And this brings another problem - sometimes I can't reboot the system so I postpone installation of patches by many weeks so I make my system susceptible to attack..

There :)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>