Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Controversy Surrounds Huge IE Hole

CmdrTaco posted more than 11 years ago | from the no-surprise-here dept.

Bug 907

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

cancel ×

907 comments

Sorry! There are no comments related to the filter you selected.

Happy Troll Tuesday (-1)

L0rdkariya (562469) | more than 11 years ago | (#4707394)

to all of you. FAGS.

Re:Happy Troll Tuesday (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4707476)

happy troll tuesday to you too

celebrate by going to faggotfuck.com

Nth post (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4707404)

ha!

Of course it was irresponsible (4, Insightful)

Anonymous Coward | more than 11 years ago | (#4707431)

If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner. Posting working malicious code to the general population serves NO BENEFIT to anyone other than those with malicious intentions. You can properly describe 99.99% of bugs without giving people the tools to take advantage of it.

Re:Of course it was irresponsible (4, Interesting)

sirket (60694) | more than 11 years ago | (#4707511)

Until a large percentage of the public gets screwed royally by a security hole, people are not going to take notice and start auditing their code as they should.

As a side note: I am rather sick and tired of reading about the latest MS IE/OE/Outlook exploit on Bugtraq. There needs to a be seperate versions of Bugtraq for: Cross Site Scripting Vulnerabilities (Enough already), and Non-OS elated holes in MS software (We already have Bugtraq-NT).

-sirket

Re:Of course it was irresponsible (4, Interesting)

Myco (473173) | more than 11 years ago | (#4707593)

That's a very good point. It encourages a somewhat radical interpretation: that the best way to get MS off their ass is to basically actively encourage all the script kiddies to use every exploit out there as much as possible until it's fixed. Sowing the seeds of dissent is a very worthwhile endeavor.

Re:Of course it was irresponsible (1)

chamenos (541447) | more than 11 years ago | (#4707563)

exactly. its assholes like these who give script-kiddies all the material they need to inflate their egos.

i personally, would like to see some sort of punishment metted out to the person/people responsible. one's right to free speech only goes so far. once the rights of others are intruded upon as a result of someone exercising his/her rights, then he/she no longer deserves those rights.

not only was it irresponsible, it was downright malicious and disgusting.

Re:Of course it was irresponsible (3, Insightful)

sean@thingsihate.org (121677) | more than 11 years ago | (#4707565)

No, you're wrong.

How long would a software company just sit on a bug without releasing a fix as long as it wasn't public knowledge?

How long would it take for a software company to release a fix when users are getting fucked up from it on a daily basis?

Re:Of course it was irresponsible (2)

Gruneun (261463) | more than 11 years ago | (#4707611)

How long would a software company just sit on a bug without releasing a fix as long as it wasn't public knowledge?

If I'm told that there's a security hole that allows someone to format my drive, and it's a system I believe is worth protecting, I'll fix it as soon as I hear.

There's a huge difference between making a bug's existence public knowledge and giving someone the tools to exploit it.

Re:Of course it was irresponsible (5, Insightful)

The Raven (30575) | more than 11 years ago | (#4707580)

Microsoft, and many other companies, have shown a remarkable ability to IGNORE bugs given to them. They don't care. They don't fix it. UNTIL their customers find out that the bug exists... then they care. Then they fix it.

Posting an exploit that is currently available to the script kiddies on BugTraq is a way of bringing exploits that so far are only posted in script kiddy boards into the public eye, so they find out about it, get offended, and get the damn hole patched.

It works. It is PROVEN to work. So I don't know why people still bitch about it.

Microsoft has known of the hole for over two weeks now. It's in the wild. It's not patched. Maybe NOW it will get patched.

Re:Of course it was irresponsible (1)

f.money (134147) | more than 11 years ago | (#4707597)

If they cared about preserving security for users, or getting the defect fixed, they'd have given the working code exclusively to the defect owner.


Ya, because when you give MS exclusive access to code, they fix things so fast. The fact is that most vendors DO NOT fix holes in their software unless exploits are posted. Period. There was a long discussion on Bugtraq about this earlier this year, read the archives if you'd like to see more.


Jon

Link to the Hole -- don't click if you're using IE (-1)

Sir Bard (605512) | more than 11 years ago | (#4707600)

Irresponsible? (2, Insightful)

FortKnox (169099) | more than 11 years ago | (#4707432)

The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

Easy question to answer.
If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

Don't say "it'll never happen," cause anything is possible.

Re:Irresponsible? (4, Insightful)

nuggz (69912) | more than 11 years ago | (#4707466)

Yes I'd be pissed off, and I would be mad that they posted an exploit.

However I'd also be quite upset at my vendor for letting this happen.

Re:Irresponsible? (2, Interesting)

FortKnox (169099) | more than 11 years ago | (#4707518)

However I'd also be quite upset at my vendor for letting this happen.

That's getting down to a different point. Did the vendor know of the bug and ignore it, or was it something that wasn't considered? Even Linux has security bugs. Its naive to think that any program is 100% secure.

Re:Irresponsible? (3, Interesting)

Myco (473173) | more than 11 years ago | (#4707561)

This argument that because 100% security isn't possible, we should just give up on the whole idea is specious. Companies are responsible for doing their best to provide a product that's not full of holes. Their moral liability is determined by what constitutes a good-faith effort to that end. Their legal liability depends on the legal fiction you clicked "I agree" for.

Re:Irresponsible? (2)

FortKnox (169099) | more than 11 years ago | (#4707483)

(*grumble* putting the submit and preview button so close together *grumble*)

The point is, don't think of this as a "MS deserves it," because it isn't a matter of what the bug was, but how bugtraq handled it.

Re:Irresponsible? (4, Informative)

Proaxiom (544639) | more than 11 years ago | (#4707486)

It's not as easy as that. The folks at Symantec have a good point: it was already available in a number of public forums, so disclosure wasn't an issue anymore.

The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."

I have to admit I wonder about this myself from time to time.

Re:Irresponsible? (2)

npietraniec (519210) | more than 11 years ago | (#4707512)

Well, with the IE bug, I'm be pissed at microsoft because they sold me a product (Yes, I know IE is "free," but I consider IE part of windows) and it's totally screwed up (again) With ssh, I'd disable the service until it's fixed and be disappointed, but not as pissed because a.) it's easy to just disable b.) I'm using ssh for free and don't really have a right to complain

Re:Irresponsible? (1)

UU7 (103653) | more than 11 years ago | (#4707559)

You can't stop your surfing, or god forbid use another browser ?

As much as you consider IE a part of windows..
http://www.mozilla.org it works wonders, apparently.

Re:Irresponsible? (1)

osu-neko (2604) | more than 11 years ago | (#4707543)

If Linux had an exploit that allowed someone to ssh into your box, su to root, then fsck your harddrive, and a patch wasn't released yet, would you be pissed off that bugtraq posted the code to exploit the bug?

Yes. However, I would not be pissed if they posted a bug anything like the one being talked about here, which is nothing like the one you describe. It's essentially a "web-trojan" -- it does not allow anyone on the outside to hack into a box, it just allows a user to execute malicious on his or her own system. BIG difference...

Re:Irresponsible? (5, Insightful)

farnz (625056) | more than 11 years ago | (#4707592)

Nope; firstly, I have enough knowledge to disable or firewall off the services that are being exploited (and this would include disabling scripting in IE if IE ran under Linux).

Secondly, I'd rather *know* what an exploit looks like, and thus be able to create a filter to prevent exploit packets incoming rather than just hoping that an exploit doesn't exist (because if it does, the black hats will have it, and the script kiddies will get hold of it).

Thirdly, I have enough knowledge to help join in the effort to fix the bug; I'm not the only person with that sort of knowledge. In the situation you describe, I can attempt to tackle bugs that affect me; I'm not dependant on someone else doing it for me. Even if I was dependant on other people, I'd still prefer them to have the extra visibility into the problem that an exploit provides. I've had to debug similar errors before, and while the debugging is the hardest part, the second hardest is creating a useful test case; in your situation, I have a test case already.

holy crap (2, Funny)

Protege108th (626907) | more than 11 years ago | (#4707434)

thats freakin crazyness.....hmmm wheres that mozilla download site again...

HOW. (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4707435)

I'm trying to convince a friend to switch to more reliable products. Can anybody post a link that can tell me HOW to exploit this latest bug?

HOLE (-1)

Sexual Asspussy (453406) | more than 11 years ago | (#4707437)

* g o a t s e x aigao a tus eix * g o i tis a x *
g a ou o e o a g
e / \a e io o i o / \ uo
a| | ee \ uoi e | i | a
t| ` oe o u i u e:e t
se o eu o i | u \| e e o i s
e \ | u / \\io --e_u\\ ai eoe
x u i/ _--~~ o--__| \u uu | e x
* \ \_-~ i o e e-_e oo| o *
g o \a \uu e ----o--- i____i\| o g
o e \i \______//o_ ___ _ (_(_e;u \ | o
au aa\ a C ___a __u___e(e(___o; | / i a
t /e | aC __o_)/ i uo (i_u__; |_/ ut
saa / /\| e C______) W3RD e(_a_; ie o\ i s
e i | ( i_C___e_)\___o__a // o/ ei e\ ue
i | ua |__ \\_e____ia_// (__/ iu|e x
uiu | \ \_u__)a `--o- u --' ee | *
g u aa \_eieiu i o_e\ a/_ i a _o | u
o | o oo a / |u a \a o a e
a | auei | o o e ia o e | a
a ua i / /u a| u | u\ i o |t
o a ee/u/ \_u/\___/u e| i us
e | o / e u|a i e |iu ii|i
x | e u | e | a e|o u |a a |e
* g o a toa o x * g o a t s e xu* geo a t s eux *

The Wired, huh? (5, Funny)

Millennium (2451) | more than 11 years ago | (#4707440)

The Wired talks more about bugtrack's handling of the whole thing...

Dude; since when did Lain start writing technical articles?

Re:The Wired, huh? (0)

Anonymous Coward | more than 11 years ago | (#4707621)

Excellent use of the semicolon.

Good day

Yes!!! (5, Insightful)

jschmerge (228731) | more than 11 years ago | (#4707445)

It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable.

In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

Re:Yes!!! (5, Funny)

AresTheImpaler (570208) | more than 11 years ago | (#4707562)

It might be my sadistic side, but I prefer for working exploits to be posted by the security sites... It gives you a way of checking to see if you are vulnerable. In the case of M$ bugs, it also puts more pressure on the company to come up with a fix for the problem quickly.

Right in the point man. Now, I'm running the code right now to see if im vulne

Re:Yes!!! (1)

quacking duck (607555) | more than 11 years ago | (#4707626)

"hmm, I wonder if I'm vulnerable to this IE bug that allows my hard drive to be reformatted..."

*applies exploit steps*
*drive gets wiped out*

"Dammit, I really was vulnerable!"

Ahhh... but (5, Funny)

ShieldW0lf (601553) | more than 11 years ago | (#4707446)

Can it install Linux on the hard drive after it has formatted it?

I thought it was fine till... (3, Funny)

Emugamer (143719) | more than 11 years ago | (#4707447)

I clicked on the link, and now had to post this comment under linux...

Still no loss, it was only a win98 machine

The preceding was a paid joke made possible by the humorless grant institutions of America

Were Bugtraq irresponsible? (4, Insightful)

psyconaut (228947) | more than 11 years ago | (#4707454)

No. Not in the slightest. Sometimes you have to go to great lengths to get vendors to fix crummy code -- and I have no doubt that simply "reporting the bug" to MS would have resulted in a wait until a maintence release was issued.

I'd even go as far to commend Bugtraq....it takes balls to do something like that and it *does* benefit the whole community eventually.

-psy

Re:Were Bugtraq irresponsible? (2, Insightful)

Columbo (111563) | more than 11 years ago | (#4707524)

Nonsense. It's like giving out a key to someone's house. You wouldn't want that, would you? I think they were quite irresponsible in this instance. There are other ways of raising attention to an issue and thereby prodding Microsoft to take action not the least of which is simply submitting the bug first. There's no need to expose the Internet community to script kiddies that will want to use this script because they think they're l337. I'm not saying they didn't submit the bug first -- they might very well have done so -- but I just feel that a more carefully considered course of action would have been appropriate.

Re:Were Bugtraq irresponsible? (2)

Jobe_br (27348) | more than 11 years ago | (#4707615)

They did in fact present the information to Microsoft and after a number of email exchanges, Microsoft apparently indicated that it didn't feel it was a significant security risk.

Sooooo ... does that make it any better/worse that working code was submitted? Dunno .. but, the fact that the code was already found in the wild indicates to me that Microsoft needed to get on top of this - if the only way they would do that is to have a fire lit under their rear-end, then that's what needed to be done.

Just my $0.02. Cheers.

irresponsible? (1, Redundant)

geekjive (458696) | more than 11 years ago | (#4707455)

the irresponsibility lies with the company who released IE - with huge holes. once the holes are found, it is then their job to release patches, no?

ok, ok, it's redundant, but someone had to say it again.

Re:irresponsible? (2)

kisrael (134664) | more than 11 years ago | (#4707488)

the irresponsibility lies with the company who released IE - with huge holes. once the holes are found, it is then their job to release patches, no?

It's interesting how the later Windows OSes, XP etc, are a hell of a lot better at encouraging and allowing frequent patch upgrades. In a case like that, it's probably a very good thing, but I think a lot of the slashdot crowd might have privacy issues with it.

Re:irresponsible? (1)

HP LoveJet (8592) | more than 11 years ago | (#4707539)

Agreed. But my sympathy for those affected by the exploit is limited as well. It's not like users, enterprises, and resellers haven't had viable alternatives to closed-source OSes (in the form of Linux and BSD) for years.

Re:irresponsible? (1)

geekjive (458696) | more than 11 years ago | (#4707585)

ah....agreed! that's why i use mozilla....on my linux box.

Its not new anyway (4, Interesting)

Anonymous Coward | more than 11 years ago | (#4707458)

The article states that the code wasn't new, and was taken from public forums etc. So I don't really think that this is irresponsible..

Thanks (4, Funny)

DigitalDragon (194314) | more than 11 years ago | (#4707459)

Thanks for not posting a link to that page.

well.. (3, Funny)

Sacarino (619753) | more than 11 years ago | (#4707462)

What may be MORE irresponsible is /. posting a link to Wired posting a link to the exploit for all the l33t script kiddies here.

No, wait... there's no script kiddies here. Only hax0rz with K-rad XP boxen.

Active content... (4, Informative)

wowbagger (69688) | more than 11 years ago | (#4707463)

I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.

Hence why I as a matter of course disable them.

How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?

Re:Active content... (5, Insightful)

psocccer (105399) | more than 11 years ago | (#4707612)

It's not that simple I think. True that active content is overused, but it can really be helpful when you don't want to roundtrip to the server just to calc some numbers, and twiddling settings is annoying for the user, if they choose to turn it off and on. It would be better if the thing was secure. The problem IE has in particular is they try to "zone" thing, local zone, trusted zone, internet zone, secure zone, etc. They do this so that you can have stuff in the local zone executre programs or virtually do anything on the system. And that's the problem, by trying to make javascript in to a generic scripting language, they've opened up the local zone to anyone that can break through the zone barrier.

Most exploits involve one javascript generating a second window which comes into the local zone and posting content to that, though I think that's somewhat patched now, they can also use ActiveX controls to screw you. There is obviusly something flawed with the model, and had they just made javascript a web only scripting language like it was designed, none of this would have happened.

Shooting the messenger .. (3, Insightful)

zyklone (8959) | more than 11 years ago | (#4707465)

Ok, so they acknowledge that microsoft has known about the problen since November. But the messenger is still the one that should be shot. And not microsoft since they are "investigating the issue".

The article is just stupid ...

Since which November? (2)

CrystalFalcon (233559) | more than 11 years ago | (#4707505)

"Since November"? Today is November 19. The statement "since November" does not give any information, except that MS was informed at most 18 days ago.

Re:Shooting the messenger .. (1, Redundant)

tshak (173364) | more than 11 years ago | (#4707573)

As already posted, "Since Novemember"? At best that's 19 days. At worst it's today. Either way, when you care about testing (vendors don't release untested patches) you need a least a couple of weeks of time AFTER you've already coded a fix.

A link to a working exploit (0, Funny)

Anonymous Coward | more than 11 years ago | (#4707469)

here [goatse.cx]

If you think that is an annoying bug, try this: (2, Funny)

viper21 (16860) | more than 11 years ago | (#4707471)

http://www.onid.orst.edu/~boyechky/open.html [orst.edu]

I would rather have my hard drive formatted. -S

Re:If you think that is an annoying bug, try this: (1)

^Case^ (135042) | more than 11 years ago | (#4707528)

You would rather have your harddrive formatted than seeing a 404?

Re:If you think that is an annoying bug, try this: (2)

zaren (204877) | more than 11 years ago | (#4707550)

Not Found

The requested URL /~boyechky/open.html was not found on this server.

--

So what was it supposed to do, anyway?

Re:If you think that is an annoying bug, try this: (1)

T-Bear (31340) | more than 11 years ago | (#4707566)

ohh..it basically spams the hell out of your computer's browser.

Extremely Responsible (2, Interesting)

davidmcn (606752) | more than 11 years ago | (#4707474)

Had BugTraq not posted this code then what proof would they have to take to Micro$oft. After all, the people that want to utilize that code are going to be able to find it anyway. In my opinion this merely makes Micro$oft responsible for their product and hopefully will lead to the quicker introduction of a patch. Or, God forbid, it could entice people to use a different web browser.

Re:Extremely Responsible (1)

Columbo (111563) | more than 11 years ago | (#4707583)

What proof will they have? How about they just take the code to Microsoft? Why give it out to everyone? While this code may be used by a few to ensure that they aren't vulnerable, there will also be those kiddies out there who have malicious intent. Granted, the code could be found elsewhere, but why give it such a prominent location on the web? I hope it does prompt a quicker patch, but I believe that this goal could have been accomplished in a more responsible manner.

More fuel for... (1)

munition (212134) | more than 11 years ago | (#4707477)

[sarcasm]..script kiddies! These 3733t haX0rz need Bugtraq to tell them how to do things, step by step.[/sarcasm]

Of course, if Microsoft was really worried about "Secured Computing" and not "Secured Profits" things like this would never happen.

what is the stink about it.... (5, Insightful)

f00zbll (526151) | more than 11 years ago | (#4707478)

If people think script kiddies didn't already have the code or grabbed the exploit off some IRC server, they are sadly mistaken. People who bitch about full disclosure would like to live in a nice little world where there's no hackers, but get real. I grew up around hackers. Some were brilliant and were coding in assembly at 10, others were lamers wannabe hackers. Even before the Internet these types of things we widely distributed within the model Bulletin boards. Anyone who was active in the Bulletin Board era knows the most active category was always virii.

Those who think, "We should give MS a couple months to find an appropriate patch" are sadly misguided. Do you think a script kiddie or hacker is going to wait? Do you think they're going to say "Oh, I shouldn't do this because microsoft is a big company." Wake up people, the only way a company is going to put their top programmers on the job to fix the bug is when the threat moves from "possible" to "real". As much as I wish companies too exploits more seriously, the reality is they don't until it is percieved as a "real immediate threat."

Re:what is the stink about it.... (0)

Anonymous Coward | more than 11 years ago | (#4707598)

You have to admit, since /. posted a story about it the knowledge of this has skyrocketed.

They do call it the slashdot effect for a reason, you know? Sites only get slashdotted because everyone and his brother goes to take a peek at what the fuss is about.

Re:what is the stink about it.... (0, Offtopic)

f00zbll (526151) | more than 11 years ago | (#4707619)

just noticed all my typos. good thing I don't proof read until it's too late :P

Moot point (2, Insightful)

odoitau (182387) | more than 11 years ago | (#4707480)

I think BugTraq was irresponsible posting working code for the exploit, but I also think the point is academic.

After all, if some script-kiddie wanted to exploit this, they'd just find the working code somewhere else.

great attitude to take (2)

theRhinoceros (201323) | more than 11 years ago | (#4707484)

"The new information enabled me to add to some rudimentary precautions I'd taken previously based on earlier information," said Gary Flynn, a security engineer at James Madison University. "But, of course, it also made it easier for others to take advantage of the situation."

That's very nice for the well informed, but unfortunately,

{people who take rudimentary precautions} is tons smaller than {people who have no idea, and who might get hacked}

I don't see how having the code broadcast to the entire world so that people could make very basic (but non-default) IE settings changes was worth the trade-off of having all the people who don't know enough to take these precautions (read everybody who doesn't follow bug or exploit lists) potentially get hacked.

Irresponsible? (2, Insightful)

danheskett (178529) | more than 11 years ago | (#4707487)

Yes. This was irresponsible. But so what.

1. IE is a P.O.S.
2. MS has no intention of really fixing the problem. The flaws are design based - not just simply implementation.
3. MS must be given incentive to fix this problem with a complete rewrite.
4. This is good incentive.

Seems straightfoward to me. BugTraq probably would have been nice to withhold for a bit, but its not like they are should be *required* to not publish it.

Slashdotted Already - Article Text (5, Informative)

Anonymous Coward | more than 11 years ago | (#4707489)

Posting as Anon since I don't need the Karma:

----------

Serious Internet Explorer Defect

This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830

SUMMARY

A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.

Simple, working exploit software was recently published to a public mailing list.

There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.

It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.

The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:

1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:

Click the Tools menu item and select Options

Click the Security tab

In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:

In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:

These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.

2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.

3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.

ADDITIONAL SECURITY MEASURES AND INFORMATION

There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.

Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":

http://www.jmu.edu/computing/info-security/engin ee ring/issues/ie.shtml#opt

Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.

The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.

A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.

not irresponsible (1)

SirSlud (67381) | more than 11 years ago | (#4707490)

I mean, cmon whats the likelihood tha - C:\>FORMAT C:\ *bbbzzzzzzzt*

oh crap.

Mozilla needs to catch up (1)

revery (456516) | more than 11 years ago | (#4707491)

<sarcasm>
Who would have though Microsoft would provide such low level functionality in their browser?
Mozilla probably won't let you format a hard drive.
Just one more shining example of the superiority of closed source....
</sarcasm>

huge hole... (0, Funny)

mr_gerbik (122036) | more than 11 years ago | (#4707493)

The only huge hole I've seen in IE is at goatse.cx...

-gerbik

Any kind of bugtraq mailing list (2, Insightful)

RomikQ (575227) | more than 11 years ago | (#4707494)

is insecure.

Only people who need that information should be allowed to it. That's why only something like bugzilla really works well with a product that is likely to be subject to exploits - only the people who are developers of the relevant piece of code are admitted into the security exploits section.

If that kind of info is posted openly on the web, I fail to see the difference between that and stupid pages that always post activex exploits thinking they're cool hax0rs. Cool hax0rs don't post exploits, they fix them.

Re:Any kind of bugtraq mailing list (2, Insightful)

schon (31600) | more than 11 years ago | (#4707627)

Only people who need that information should be allowed to it.

How do you determine need?

If I use the software, I need the information, so I can protect myself. With that in mind, everybody potentially needs the information.

Read the article. The information in question was already available in black-hat circles, and was actively being used in the wild. Do you believe that the white hats shouldn't be on level footing?

The information was already out there (2)

loggia (309962) | more than 11 years ago | (#4707497)

The information was already out there.

Would you rather let the "bad guys" have it and not know about it?

The argument against supressing such information just never holds up, because it is the public dissemination of such information that cajoles companies such as Microsoft to publish security fixes.

Even so, Microsoft is still too slow to address security flaws and does an exceedingly poor job of communicating them to the public.

Know the code, avoid the code? (4, Insightful)

Anonymous Custard (587661) | more than 11 years ago | (#4707502)

If I don't know what the malicious code is, how am I supposed to avoid it?

Informed security is way better than uninformed security.

Anyone who wants to use this exploit will find out how. The exploit-users already know how to use it and will tell their friends, so we may as well know also.

Opera (1)

kannibal_klown (531544) | more than 11 years ago | (#4707515)

Yet another reason to switch to Opera.

I started using Opera 6.05 a few weeks ago, and am quite please with the speed and features. Sure, in like the thousands of web-pages I've surfed, there were like 2 that I couldn't browse, but that's no problem.

If you are looking into Opera, I suggest waiting until version 7 comes out (should be soon). The beta for version 7 looks awesome, but its still pretty buggy. It also comes with an email client that's supposedly pretty good too.

Proposition, new topic: Windows Bugs (5, Interesting)

pheph (234655) | more than 11 years ago | (#4707516)

Wouldn't it be great to seperate Microsoft Bugs from, well, the rest of them? I'm sure some people, especially those on slashdot would choose to see the "Microsoft Bugs" topic on the front page based on if they:

a.) Run Microsoft exclusively (only want to see Microsoft bugs)
b.) Run Microsoft exclusively (don't want to see Microsoft bugs)
c.) Want to find any reason to bash Microsoft... (only want to see Microsoft bugs
d.) Don't run Microsoft at all (don't care about Microsoft bugs)

poo (-1)

cmdr_shithead (527909) | more than 11 years ago | (#4707517)

dog

One thing to consider.... (1)

GeckoFood (585211) | more than 11 years ago | (#4707521)

Now, this may sound on the surface like an M$ slam, however that is not my intention here (as much as I dislike that company).

M$ has shown, in the past, that it is very unresponsive at times to reported security vulnerabilities. Sure, the proper thing to do would be to send the vulnerability details to M$ and have them fix it. The problem is that M$ sometimes sweeps such stuff under the rug: "Oh, no one else knows, so we can put this one off." By posting the code, it is quite possible that M$ will be forced to deal with the issue now. I don't agree with the method taken here, but considering M$'s track recond on this, this may be the only way to get it taken care of quickly.

responsibility (1)

k3v0 (592611) | more than 11 years ago | (#4707523)

i think the ultimate entity responsible is the company that makes the flawed program. If there is no bug, there is no code exploiting the bug on a website. the bug exists and can be exploited, whether the code is posted or not.

Was it irresponsible? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4707530)

I'd say it's really no better or worse then, say, Slashdot posting links to warez [slashdot.org] .

This is OT (alternative browsers) (1)

bigberk (547360) | more than 11 years ago | (#4707532)

I usually try not to sound insulting, but come on... if you're still using Internet Explorer then you are honestly being stupid.

Try Mozilla [mozilla.org] or one of its derivitives, my favourite is Phoenix [mozilla.org] . Another fine piece of software, independant of both IE and Mozilla is Opera [opera.com] .

I am NOT surprised. (2, Redundant)

Noryungi (70322) | more than 11 years ago | (#4707533)

I know some people will probably moderate me down for this, but I don't care.

Like the title says: I am not surprised. Microsoft probably has the poorest security track record of any software publisher out there.

Maybe Bugtraq has not been very serious in its handling of this security hole, but, honestly using Microsoft operating systems or applications without a ton of additionnal security software (antivirus, firewalls, etc) is asking for trouble.

In my opinion, Bugtraq is not responsible: Microsoft is. If you use Microsoft products, do as I do: do not use IE (I use Opera or Mozilla), do not allow any application to have access to the Internet without authorization (I use Zone Alarm), do not use Outlook for email (I use Pegasus Mail) and install and update an antivirus program religiously (I actually use two).

Two, out of my 4 personal machines at my home, use either Linux or OpenBSD. One is a Windows 98 machine. The last is being rebuilt and will become a NetBSD workstation. And there is a reason for it: Microsoft security (or rather lack of).

Now, flame all you want. =)

Easy (4, Insightful)

4of12 (97621) | more than 11 years ago | (#4707538)


  • It's responsible to warn users immediately that a vulnerability exists and to sketch out broadly what kind of vulnerability it is and how to recognize it.
  • It's irresponsible to post a working exploit prior to notifying the code maintainer of the existence of the problem.
  • At some point it becomes necessary and convenient for vulnerable users to have a tool they can use to test for the vulnerability and to see if they can protect themselves from the exploit. They should have the tool in a relatively short time frame, comparable to the same timeframe that crackers make tools from the exploit.

Too many companies (software vendors, security consultants) are financially vested in how bad the security blackeye looks in the marketplace and it colors their policies regarding security notification.

As far as I'm concerned, the interests of the software users should be the primary concern.

Bugtraq, not bugtrack, and other squibbling. (5, Interesting)

signine (92535) | more than 11 years ago | (#4707541)

BugTraq is a mailing list dedicated to full disclosure. Before I get modded down for being redundant, let me explain how/why this is relevant. In a list dedicated to full disclosure, it becomes up to the person who drafts the advisory to be responsible for it's content. Many companies believe that vendor notification before releases is standard procedure, and yet there are others (ISS) who seem to believe that having one non-vulnerable version (bind 9) means that they can release an advisory that affects other versions that currently have no patches (bind 8, 4).

On the other hand, there are "independents" such as GOBBLES and other security goons who believe that posting the advisory with full exploit code the second they discover it is a good idea. I'm not going to disagree with that, because without such wake-up calls, many people would never update their systems, remaining vulnerable for days/months/years. It's pretty ridiculous how many people do.

It's not really up to BugTraq to decide which is the better course of action, it's up to the analysts and the community. If the community chooses to ostracize a member for using such tactics, they can do so. I'm sure that a commercial security vendor would encounter exactly that for releasing an advisory with exploit code and no vendor notification.

Though, in all fairness, most people have known about this IE exploit for months, and I can be reasonably sure that among "most people" "Microsoft" is included. Microsoft doesn't exactly have the worlds best track record working with people to resolve security issues, or even releasing timely patches.

In short, BugTraq good, security good, black hats bad.

It's a thorny issue (2, Interesting)

Dr Thrustgood (625498) | more than 11 years ago | (#4707542)

Certainly, making sure someone is aware of an issue with their software should be paramount before telling others. Alas, big corporations often just don't care, which is a disgrace.

However, whilst there's something to be said for fighting such companies, I fail to see why it should be at the user's expense.

Lots of people use windows. Some like it. Some hate it. Some, like me, have very little choice in the matter - finding a job elsewhere is simply not a realistic option. Now, why should I be punished over a vendetta?

Take a look at the PHP exploits released a few months ago. You were talking total server compromise. Were there any exploits? Certainly, but you would have a damn hard time actually finding them.

Right now, alas, there's a chance that my machine will be erased, losing work that hasn't been backed up because that's what I've done in the mere last few hours.

Think of the users. Please.

Bah.. not Irresponsible. (0)

Anonymous Coward | more than 11 years ago | (#4707548)

What's irresponsible is that MS missed a glaring hole like this in their browser. Does MS even have a QA department? I didn't think so. I fully support someone posting exploit code. All it does is give more reason for people to move to Mozilla and hate IE even more.

Would've happened eventually (3, Informative)

psocccer (105399) | more than 11 years ago | (#4707551)

Basically this is the same as another exploit posted to the list earlier, but with a new command. And for that matter, jelmer has been posting a new IE local zone exploit like every week... Any of them could have been used to make something like this, it's just no one has tried to do a format. True the jelmer posts didn't include the "run a program with arguments" thing that was posted this week, but they did show how to read/write arbitrary files and execute them. So batch file somewhere and here comes a HD format.

So the only reason we haven't seen this I think is because like always, virus creators want their program to spread, and the quickest way to stop the spread is to kill your host, so instead we get mass mailers, trojans, etc. It was going to happen eventually.

Maybe this will educate my office (2)

Limburgher (523006) | more than 11 years ago | (#4707553)

Maye now they'll stop A. forcing us to use IE and B. giving us Root XP userIDs. I keep kvetching about this but maybe a major hole like this will get their attention. . .

Typical Micro$oft... (2)

pdboddy (620164) | more than 11 years ago | (#4707554)

I don't think it was irresponsible for the bug to be posted and described in the manner it was. The more clues you give out, the more likely someone will figure it out, and exploit it. It's not like they were writing a proggy for the scriptkiddies.

Better to be out with the whole thing, and put pressure on MicroSoft to fix it, than to be cryptic about it.

Another day, another mack-truck sized hole in an MS product. People sound surprised by this... =P

irresponsible? (1)

hpavc (129350) | more than 11 years ago | (#4707555)

i think its hardly irresponsible, i consider it merely posting the redistributable fix to the problem along with the notice that it exists.

C++ (0)

Anonymous Coward | more than 11 years ago | (#4707556)

My C++ documentation also has code that shows how to format disks. Are THEY irresponsible too? ....the blame should be put where it belongs.....

dan.

But what if... (0)

Anonymous Coward | more than 11 years ago | (#4707558)

Imagine how quick that would wipe on a beowolf cluster running wine - like er wipeeeee

If you still use IE... (2, Insightful)

caldroun (52920) | more than 11 years ago | (#4707560)

...you are the one irresponsible.

Either way... (2, Interesting)

tyrelb (619467) | more than 11 years ago | (#4707567)

people who want to do malicious things to your computer will find a way, whether or not the exact code is posted to popular web sites. Software companies have the responsibility to publish fixes to bugs, especially in a timely fashion. Microsoft tends to delays patches to their programs.

Accussing bug reporters ?! (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4707569)

It has proven time and time again that MS does not care about fixing their bugs or securing their users. Their only concern is furthering their illegal monopoly position by abusing the political system of america.

That leaves us with each other as our ONLY protection. Personally, I WANT to know if users in my network are able to accidentally destory their computers, and I NEED to know how the problem occurs so I can help avoid it. As I already stated, if we can not help each other get past the problems, then malicious programmers will have already won, thats just the MS world. Trusted computing is between users, not with the vendor in these dark times.

Old expliot (1)

zenst (558964) | more than 11 years ago | (#4707570)

this expliot has been around for over a year now. I consider any highlighting to the mass's as responsible given the amount of people who know about it already.

Yes it's irresponsible... (1, Troll)

RocketScientist (15198) | more than 11 years ago | (#4707577)

but...(you knew the "but" was coming, right?)

Is it really any more irresponsible than running IE in the first place? How many more of these browser exploits have to happen? A part of me almost hopes someone does exploit this and do nasty things with it JUST SO PEOPLE WON'T BE DEPENDANT ON IE ANYMORE. Friends don't let friends use Internet Explorer.

I think the word needs to be spread: Anyone who uses IE isn't an innocent bystander, but someone who knowingly uses a defective and dangerous product. IE Users are no better than people who own Ford Explorers and kept the old Firestones because they don't want to go through the trouble to get them changed.

So, all you other geeks out there, when you're visiting family over the upcoming holidays and they inevitably ask you to fix something on their computer, install Mozilla (or Opera, or even Netscape) and set it as the default browser. When they ask why, tell them it's because IE is a dangerous and defective product.

This isn't a bug. (0)

Kr1ll1n (579971) | more than 11 years ago | (#4707581)

It's the new Windows Update service. What better way to secure your box than with the latest patch that removes the biggest working hole on the system....Windows!

This Linux's big chance! (5, Funny)

jvmatthe (116058) | more than 11 years ago | (#4707584)

"Showing people how to automatically format hard disks from a Web page isn't 'full disclosure,'" Smith said. "It is malicious code writing."

Now all we need is a way to embed an ISO image of a Linux system into the web page and use the same exploit to install an alternative operating system. Just think of the banner ads! "Click here to Install Linux!" and "Get That Windows Monkey Off Your Back! Hit the Monkey to Try!" and "Eliminate Windows Instabilities Forever. Click Now!". Then it won't be malicious. It'll be setting all those people FREE! ;^D

NOT (2, Interesting)

fygment (444210) | more than 11 years ago | (#4707588)

Malicious code is out there for the taking from any number of sources. It's not a case of finding and identifying malicious code anymore. It's about letting the most people know about it. If they erred it was by not spreading the word broadly enough.

Question (3, Interesting)

ChuckMaster (595275) | more than 11 years ago | (#4707591)

Since outlook express formats html code that is sent automatically, and I assume uses the saem engine explorer does, could it be possible to send a spam email that will re-format the hard drives on all IE windows systems? scary.

This EXACT sort of thing.... (3, Interesting)

Conspiracy_Of_Doves (236787) | more than 11 years ago | (#4707599)

is why on my computer, IE doesn't even have permission to get through ZoneAlarm [zonelabs.com]

Hypothetical (2, Interesting)

dallask (320655) | more than 11 years ago | (#4707602)

Just imagine what would happen if someone combined this hack with the blackops IP techniques discussed in prev /. article... could someone effectively wipe ALL the drives and servers running windows on the net?... do you think people would come down on MS then???

I think, that if this is left unpached, then those in the hacker community almost have a responsibility to fully exploit this... just to force a patch to be released... reformating 2^32 computer systems would get their attention, even if congress cant.

Forget Madonna (2)

Alcimedes (398213) | more than 11 years ago | (#4707603)

They need to hire on Britney. "Oops, I Did It Again"

seems like the fun just never stops in MS land.

Easy Solution (1, Interesting)

Apreche (239272) | more than 11 years ago | (#4707623)

For a minute I was worried that google searching wouldn't be safe anymore because there was a real threat of something erasing my hard drive. Then I realized, hey, it's an IE security hole, I can still run Moz in Win and wait until a fix.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>