Forgot your password?
typodupeerror

Web Site Attacks Against Unpatched IE Flaw Spike 268

Posted by Zonk
from the not-a-good-spike dept.
An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."
This discussion has been archived. No new comments can be posted.

Web Site Attacks Against Unpatched IE Flaw Spike

Comments Filter:
  • by gerbalblaste (882682) on Monday March 27, 2006 @02:31PM (#15004441) Journal
    Use Firefox

    • Also, being that it is now 2006, maybe we should stop using usernames and passwords for authentication or at least exclusively using them.

      The best I have seen passwords work is at Bank of America's online banking.

      I don't know the details, but I'm guessing it stores a cookie on your machine if you tell them its your normal computer. If that cookie is not found, then the site will show you a picture and a user defined caption for the picture to prove that the bank is my bank. It then asks me one of 3 or so
  • by spaztik (917859) on Monday March 27, 2006 @02:33PM (#15004459)
    Download here:
    http://www.mozilla.com/firefox/ [mozilla.com]
  • by RunFatBoy.net (960072) on Monday March 27, 2006 @02:33PM (#15004461)
    I understand that there will be bugs. BIG gaping security holes will happen.

    I worked at an air force base and they were definitely standardized on IE. Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

    If there are over 160 million+ computers in the US alone, and 90% of those PC's use Internet Explorer, how can the US Gov. not justify action in insisting these issues be resolved promptly?

    Jim http://www.runfatboy.net/ [runfatboy.net] -- Exercise for Web 2.0
    • by teshuvah (831969) on Monday March 27, 2006 @02:43PM (#15004547)
      I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.
      • I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

        Cute. The government appears to be pretty stupid about security. Lets subpoena Google and let them spy on the people for us, yet the DOE and other government agencies typically get Ds or Fs when it comes to security. Proof that they are confused:

        http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o perati [nist.gov]
      • I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

        So... when exactly do these scans take place? And can a job be scheduled to uninstall/reinstall automatically?

        Better yet: if you just copy Portable Firefox to the hard drive, or even run it from a CD / USB drive, does it still get detected?

        The big issue, of course, is why you're forced to use insecure software, but you
      • by hughk (248126)
        In an orgnisation, I can understand the need for 'approved' applications. However, one of the more enlightened banks that I worked at had Opera and Firefox available, officially to support alternate browsers for customer access. Unofficially many IT staff installed alternative browsers and it meant that there was no monoculture thus reducing the banks vulnerability.
    • Knowing about these bugs and electing _not_ to fix them expediently, couldn't this be considered a threat to national security?

      Sure. But like our Commander in Chief said recently with respect to the ports management fuss, we have to balance the interests of natonal security with those of commerce. Achieving a similar balance with individual rights and freedoms, on the other hand, I guess is out of the question.

      The moral of the story is that if you're a big company or a monopoly, your interests count. Unl
    • by jmorris42 (1458) *
      > If there are over 160 million+ computers in the US alone, and 90% of those PC's use
      > Internet Explorer, how can the US Gov. not justify action in insisting these issues
      > be resolved promptly?

      No, how about secure sites take responsibilty for their own incompetence. Both Windows and IE are licensed (and on large sites it really is a license and not a sale) on a general disclaimer of all warranties for suitability to purpose, security, etc. Add in a decade long record of having more remote exploit
    • by sedyn (880034) on Monday March 27, 2006 @03:16PM (#15004816)
      I view software as a contract. In open source, if you view code and find problems then you should try to have the "contract" updated. If you do not find problems on a pre-emptive basis yet they exist then you are SOL. Think that is unfair to non-programmers? If I signed a large/vital contract without a lawyer's assistance and got screwed, would I get much sympathy, let alone any legal recourse (would I even get legal recourse if I had a lawyer)?

      This means that in closed source, the developers are the "lawyers" who proof-read the "contract". Though, agreeing to a secret contract may not be the best idea (not like I've read the Linux/BSD/* source), but that is another issue.

      This means that we have to trust the developer's judgement. In this case, we have to trust that the developers will fix it as soon as possible. If that is legislated then rushing may occur to meet deadlines, possibly leading to more bugs.

      I think we should hold companies responsible for errors, where a EULA cannot absolve them from the responsibility provide the services that they promised at the time of purchase, let alone any loss/theft of data. If managers had to factor in "cost of bugs" then I suspect developers would be given more time/resources to fix problems.
    • I have no objection to the Government criminalizing the witholding of a patch for a security flaw, where that flaw could endanger national security OR could cause significant economic harm (over the country, not just for some individual). This would require a fix to exist, but be knowingly or deliberately not released (eg: to "encourage" people to update to Vista, once it is available). I can't see any sane objection to such legislation, since if the code already exists, there is no further cost in producin
  • by jellomizer (103300) * on Monday March 27, 2006 @02:36PM (#15004485)
    My Rule of thumb is whenever possible choose and use the #2 or #3 popular software. The #2 and #3 have enough features to be useful but gets less attention then #1. Use Linux or OS X instead of Windows, Choose Opera, Firefox, Safari over IE. No it is not a fixed in stone rule but I find it helps me out more then it hinders me.
    • Not really (Score:3, Informative)

      by WindBourne (631190)
      You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.

      In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and
    • My Rule of thumb is whenever possible choose and use the #2 or #3 popular software.

      Indeed - I do likewise, which is why I choose to run IIS (tm) on all my webservers, having a lower profile then Apache has made it far less likely to be attacked.

      Seriously - whilst there is correlation between popularity of a project & number of attacks, there is no link between popularity and number of vulnerabilities.

      A well written application is a well written application, regardless of popularity (look at openSSH).
    • Reminds me of one of the developers I worked with many years ago. Out of the blue, he announces he is getting married. Nobody was really "tight" with this guy, so this wasn't all that shocking. However, he brought his new bride into the office a couple of weeks later, after the honeymoon. She wasn't all that attractive, to say the least. Anyhow, in casual conversation he takes it upon himself to mention that, "I know she's not the most attractive woman out there, but at least I know other men won't be
  • by zubinjdalal (816389) on Monday March 27, 2006 @02:37PM (#15004497)
    FTA: Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

    Sure I could guess but which ones exactly would those be?
    • I'm guessing Mozilla is at the top of the list ...
    • Sure I could guess but which ones exactly would those be?

      Don't worry dude, you'll know soon enough.
    • Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code"...

      It's so sad. The Internet (well, the WWW) is all ABOUT unfamiliar web sites. That's how we discover and learn. We're not going to know (abstract or specifically) who runs alot of the websites we visit, and any number of them could be hosting malicious crap, or fantastic insight, or both.

      It shouldn't be like that. People shouldn't have to be afraid of browsin

      • Actually this is no different than real life.

        It's like a restraunt that you've never been to, how do you know that you will not die of food poisoning?

        Luckly for us, restraunts are randomly inspected by health services and get a score around here.

        Maybe its time for random website inspections to see what kind of crapware/spyware/scripts are on them, sounds like a good place for a firefox plugin.

    • Sure I could guess but which ones exactly would those be?

      dunno, but siteadvisor [siteadvisor.com] gives me a nice green tick in google search for those that are supposedly safe... ooh you're in luck, there's an IE version [siteadvisor.com] as well as a Firefox one... but I wouldn't know if it was actually safe to visit them using IE

    • That's all well and good until you visit a site that has quietly been compromised. The people who compromise web sites for fun generally deface the site in some way. The people who compromise sites for profit or other gain don't generally change the appearance of the site, but instead insert the exploit code among the familiar "safe" pages of information. So one day the page is known safe and familiar and the next it's not. That's part of the problem.

      Microsoft's advice is invalid to that end.
  • by UberOogie (464002) on Monday March 27, 2006 @02:38PM (#15004500)
    *cough*porn*cough*
    • by dotpavan (829804)
      FTFA: "According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). "

      So, it wasnt pr0n. But c'mon, couldnt he check the history and let others know?

    • The article says that the user must have "active scripting" enabled to be infected.

      I'm surprised that a programmer would not have the common sense to
      disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

      And obviously you dont put porn in trusted sites.

      As much as I hate to defend MS, (MS Word makes me so incredibly angry), but it seems that a lot of problems with IE are really a result of users who don't take the time to secure it in the options. Sure it
      • by hal9000(jr) (316943) on Monday March 27, 2006 @03:19PM (#15004836)
        I'm surprised that a programmer would not have the common sense to disable active scripting for the internet at large, and only enable ActiveX and scripting for Trusted Sites.

        Hrm, don't blame the victim. Sure, you can turn off active scripting (mainly javascript), but do you know how many sites fail to function properly without it and that is only going to get worse sith the rush to have more interactivity on the client? Think of all the hype around AJAX.

        Nah, acripting in browsers (javascript, activeX, flash, showwave, etc) should be properly sandboxed so that they can't access system resources like the file system and execute commands. The problem lies with how IE is developed, not with a user regardless of thier knowledge level.
  • Hmm.. I use firefox.

    I have probably made over $1000 in the past year in $35.00 incriments just running adaware, hijackthis and spybot for people around town, and then recommending firefox. Probably 10 times that amount for my commercial clients.

    I used to run them on my box all the time, until I put firefox on... now I run them once a month or so - mainly for giggles and a healthy dose of paranoia. Clean.

    When will they learn?
    • Re:*sigh* (Score:2, Informative)

      by Absolut187 (816431)
      I had firefox for a while - not recently - and a lot of sites didn't work properly.

      Also, as a part-time webadmin, I noticed that firefox displays things differently from IE.

      Since over 90% of visitors use IE, I have to design the site for IE.

      So why don't they program firefox to render pages the same way IE does it?
      • Because IE doesn't meet the standards. Firefox isn't perfect, but it's a lot closer than IE.

        The majority of new browsers (NOT browser installations) are heading towards full standards compliance, so it is in fact IE which is the odd one out despite having the largest slice of users. Since developers get pissed at having to design specifically to work around IE's problems, MS is now seeming to make an effort to meet standards with regards to CSS etc.
      • Re:*sigh* (Score:3, Funny)

        by MasterC (70492)
        So why don't they program firefox to render pages the same way IE does it?

        I'm just flabbergasted at the thought that I'm not even sure where to begin on a reply. What you are asking...is basically asking them to...break...firefox. I'm all for demolition and breaking stuff just as much as the next guy but that's usually in the name of progress and I see little "progress" in such a proposal.

        As lame and well-used as it is: what you're proposing is for the firefox developers to jump off a bridge just becuase
      • Since over 90% of visitors use IE, I have to design the site for IE.

        So why don't they program firefox to render pages the same way IE does it?

        Because IE is displaying them incorrectly and is not standards compliant. Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct. The most intelligent thing you could do is write your web pages for Firefox and then have Javascript that munges the IE-specific parts so it displays "correctly" for users using the broken IE browsers.

        • Just because Microsoft's calculator application says 2.45+2.45=5 doesn't mean it's correct

          The sad thing is, I actually had to try that. Says a lot for their reputation, I suppose.
          • Re:*sigh* (Score:5, Informative)

            by BeerCat (685972) on Monday March 27, 2006 @04:11PM (#15005284) Homepage
            Microsoft's Calculator is actually 2 distinct calculators (at least the XP one is)- the order of calculation varies depending on whether you have "Basic" or "Advanced" view:

            4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.

            (FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)
            • Re:*sigh* (Score:4, Interesting)

              by user24 (854467) on Monday March 27, 2006 @04:42PM (#15005557) Homepage
              oh my god. that is just....
              wow.
              you'd think that clicking something under the VIEW menu would, you know, change what you can see. Rather than changing the basic way in which the calculator works.
              I still can't believe this.

              "Hello, Microsoft Support"
              "yeah, I've got a problem with the calculator"
              "ok"
              "yeah, sometimes when I type an equation in, it gives me one answer, but other times it gives me a different answer"
              "oh yes, that's right sir, the calculator gives you different answers depending on which buttons you can see on the screen...."
      • So why don't they program firefox to render pages the same way IE does it?

        To be honest, between all the bugs, quirks, and unexpected behaviour I doubt even Microsoft could program a web browser that renders pages the same as IE does. (Hell, whenever they release a new version, webmasters always seem to complain about it breaking their pages, and IE 7 probably won't be any different - but they have to live with it).
      • If you are having problems rendering pages, you can use the IEtab extension to Firefox. It renders the page by imbedding IE into Firefox. See it here http://ietab.mozdev.org/ [mozdev.org]

        As far as "So why don't they program firefox to render pages the same way IE does it?" there are 2 reasons.

        #1) IE sucks at rendering things. (Try the ACID2 test if you don't believe me)
        #2) IE is proprietary, they can't get the source code (legally).
  • In other news... (Score:5, Insightful)

    by zolaris (963926) on Monday March 27, 2006 @02:41PM (#15004533)
    Related, F-Secure posts: "Microsoft has put out a warning on a new, nasty, unpatched vulnerability in Internet Explorer. Proof-of-concept exploits are already out. Disable IE's active scripting or switch to any other browser. Not necessarily Firefox - just any other browser. " It's sad when the solution is "Any other browser".
  • Here we go again.... (Score:4, Informative)

    by beheaderaswp (549877) * on Monday March 27, 2006 @02:42PM (#15004535)
    Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

    Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.

    Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:

    http://news.bbc.co.uk/2/hi/technology/4849904.stm [bbc.co.uk]

    Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.

    I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.

    Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.
    • Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

      Here's why: nearly every day, when I come into work, I have a request from a user to "enable IE" for them. See, in our office, we've locked down IE (using privoxy) so that it can only go to certain, "approved", sites. Users usually want to use something like MSN Video, which will not run on anything but IE, and, desp

  • by MudButt (853616) on Monday March 27, 2006 @02:42PM (#15004537)
    What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

    If the goal is to infect the most systems, then by defualt, you'd avoid Mozilla or Konqueror simply because (at best) you could only hope to control a fraction of machines with active internet connections. Maybe this question has been asked before...
    • What's the general opinion? If the majority of casual surfers used Firefox or other alternative, would reverse engineers switch focus to those apps?

      What makes you think the majority don't focus on alternative browsers now? From what I've seen there are about as many people pounding on Firefox as there are on IE. It's just the people who find things in Firefox usually get them fixed much more quickly. Of course if Firefox gains in market share more people will look for holes, but that does not mean it wi

    • It's not a question of perfect, unexploitable code, it's a question of timeliness to patch the exploit. AFAIK, Firefox, Opera, etc. tend to have turn around times far quicker than MS does for IE. This particular exploit has been out since what, December? And they apparently plan to patch it in April? That's an awfully large gaping window for the script-kiddies to go to town. Also, whenever MS does release a patch, there's a fair chance the patch itself is exploitable or opens another exploit. Besides, why u
    • Many "modern" trojans already support both, IE and FF.
  • by WoTG (610710) on Monday March 27, 2006 @02:43PM (#15004544) Homepage Journal
    Of all the bits of software in Windows, perhaps the IE should be at the top of the list for migrating to .net managed code. It seems to be the most problematic (not necessarily because of code quality, but because it's a big juicy target for hackers).
    • I'm not saying that having IE written in full managed code isn't a good idea but it won't help with security. A good chunk of the problems come from the ambiguous uses of various technology in IE (Active X, jscript, etc). Many of these are functioning exactly as designed but still having undesirable side effects such as completely unsecured. These are problems that would exist reguardless of the language binding used to build IE upon because logical problems are still logical problems reguardless if they
  • by sharkey (16670) on Monday March 27, 2006 @02:49PM (#15004596)
    one of the sites that has been "hacked" to exploit this flaw?
  • by Dynamoo (527749) * on Monday March 27, 2006 @02:50PM (#15004603) Homepage
    If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center [sans.org] which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

    This is a little like the WMF flaw [microsoft.com] that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

    Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS [microsoft.com] for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

  • by xmorg (718633)
    I have heard about all these tests that they put up a windows server vs a Linux/BSD server and you get Windows being more "secure" in certain areas, etc.

    But this is what we are talking about when we says LESS secure. Anyone running a server in a professional environment is expected to know what he or she is doing. What windows lacks in security has to do with workstations/personal computers at a persons home browsing the web on IE, who is not a security expert and shouldnt need to be! Windows continues t
  • by smooth wombat (796938) on Monday March 27, 2006 @02:51PM (#15004619) Homepage Journal
    From the article:

    Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the IE7 beta2 preview.

    That's nice. Now when is Microsoft going to code IE7 to work on the hundreds of thousands (millions?) of pcs still running Windows 2000?

    They're not? You mean I have to shell out more money to get a fix for a problem which is caused by their product?

    Just another reason not to go with Vista. Another Mac convert on the way.

    • Sorry to break it to you, but Mac OSX makes you pay for updates too. You have to pay for every update -- 10.1, 10.2, 10.3, etc. Each of them costs money. So if you bought OSX or OS 10.1 and you want to update to the latest version of Safari or Firefox -- guess what, you have to shell out some cash because Firefox requires Mac OS X 10.2.x and the secure version of Safari requires 10.3 I think.

      Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a
    • It's interesting that their beta product is (allegedly) more secure than a product that has been in production half a decade.
  • What kind of wishful thinking persuades someone that IE is suitable for browsing any website except the ones you have written personally?
  • easy fix in XP (Score:3, Interesting)

    by TheRealBurKaZoiD (920500) on Monday March 27, 2006 @02:58PM (#15004659)
    Just set a software restriction policy to disallow executables from running from your temporary internet files. It's one of the first things I ever do when I set up my PC. Easy-peasy, japanesy.
    • Software restriction policies are a nifty tool, and it's a shame more people (or at least offices) don't use them.

      Blocking just temporary internet files is obviously not fool proof (the exploit code itself could download files to another location besides the temporary internet files folder) but it does seem likely to break any malware that's written to have the browser do the work of caching scripts from the website ahead of time. (Does IE work that way? Cache scripts fully, even if they contain code that i
  • DISABLE ACTIVEX!!! (Score:2, Informative)

    by erroneus (253617)
    For crying out loud, that's probably like 99% of MSIE's vulnerability. I know it's one of Microsoft's "gems" and one of its primary tools to keep the competition locked out the areas they currently control, but it's seemingly forever the access point to evil-doers' access to peoples computers. Disabling ActiveX is almost always if not entirely the answer to the problem in the short term.

    I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda lik
  • Use FireFox, Use FireFox, Use FireFox, Use FireFox...

    I know I'm preaching to the choir, but maybe we need another round of "Spread the word". I keep the "Open in IE" function available for emergencies (like a root login), but by default I use a browser that is not so heavily integrated into the OS, is lighter weight and is peer reviewed.

    Why aren't we ALL insisting on these features wherever possible???
  • by wernst (536414) on Monday March 27, 2006 @03:19PM (#15004835) Homepage
    So, the article says that hackers are breaking into webservers and injecting this code that exploits an IE flaw. Fine.

    So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

    I don't ever use IE for anything, but I do run many websites with a variety of platforms and server software. I'd love to know what it is I'm supposed to be looking for on my servers...
    • So, WHAT WEBSERVERS are being hacked into to do this? IIS? Apache 1.3? Apache 2? Windows only? Linux only? Something else? All of the above?

      I think it's any webservers whose webmasters use IE. Lemme explain:

      1) a dumb webmaster has his PW for his webspace stored in windows
      2) dumb webmaster (who should know better) visits a site while using IE, and the site steals his password
      3) script or person uses the password to login to the webspace, add in malicious code, and the cycle continues
  • Anyone.. (Score:2, Funny)

    by Viraptor (898832)
    Anyone else finds something funny in this sentence?
    "...hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors)."
    I see two things...
  • by RockDoctor (15477) on Tuesday March 28, 2006 @07:29AM (#15009571) Journal
    FTFA : Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.

    BEATS HEAD SLOWLY AGAINST BRICK WALL.
    THIS IS UNSATISFACTORY.
    GOES OUT AND FINDS granite WALL.
    BEATS HEAD AGAINST IT.
    MUCH BETTER!

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"

Working...