Forgot your password?
typodupeerror

New Zero-Day Vulnerability In Windows 231

Posted by Zonk
from the worst-day-of-the-week dept.
Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."
This discussion has been archived. No new comments can be posted.

New Zero-Day Vulnerability In Windows

Comments Filter:
  • Just curious (Score:3, Insightful)

    by realmolo (574068) on Saturday November 04, 2006 @11:49PM (#16721731)
    Seems there is always a new "zero day" exploit for Windows. Most times, the exploit can be activated simply by visiting a webpage that has been crafted to take advantage of it.

    Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

    • Re: (Score:3, Insightful)

      by Opportunist (166417)
      The odds depend entirely on you.

      The attack vector is a link to the bogus page. Now, how do you get a link to a user and make him click? Usually this is done either by email (click here for big boobs or fat cash) or on a webpage (same).

      In the meantime, you can also have it on a banner, where the one wanting to infect you buys ad space on a ... let's say less prestigious page of our beloved web. Usually also pages that promise big boobs, fat cash or free software.

      Well, technically, you get free software...
      • The odds also depend on time. Because as with every vulnerability, it only get worse over time: more bad guys become aware of how to exploit it, methods of exploitation become more reliable, etc.
        • Well, actually, time works against the malware writers, in case you keep your OS and AV soft updated and current. What impact could a worm have that uses the same vector LoveSan used? Of course, it would hit a few unprotected and unpatched machines, but it would never be as devastating as it was, at the very least company computers will not be affected in the same way.

          Unless their admins are really careless.

      • Re: (Score:3, Funny)

        I've been clicking on your link for big boobs, and nothing is happening. What's going on here?
      • The site desn't have to be of ill repute in order to cause a risk. Remember the BOFRA/iFrame [sophos.com] exploit? This was a case where ad server Falk AG [slashdot.org] was serving up ads to well known sites such as The Register [theregister.co.uk] and Comedy Central. You wouldn't hesitate to go to either of those sites most of the time.

        The thing to keep in mind is that any page could be a risk and you must be security concious or face the consequences.
      • by Bert64 (520050)
        Or a web server gets hacked, and someone inserts the exploit code into the sites hosted there... If it's subtle enough, it would take ages to get noticed by the admins or legit viewers, unlike a defacement which is immediately obvious.
        As for getting access to web servers, how many run IIS and have IE installed on them? Not to mention how many people admin their web servers from windows workstations, own the admin's workstation and you can keylog your way into the server too.
        • by sumdumass (711423)
          Wasn't there an issue a while back were exploit were being coded into HTML email and outlook (express too) would execute it or take you to the link and open the exploit or virus jusy by previewing it to delete the email.

          Some of this had been fixed by now but I'm not sure something like this couldn't be rigged to be executed.
    • ...is also the most impractical. What you do is just never network the Windows box in the first place. No internet, no intranet--nothing. If you use Windows exclusively, then this isn't really an option. You're going to want to get online eventually. But if you're double booting and running Windows for rendering applications, non-multiplayer games, office suites or whatever else that doesn't require connectivity, then you'll be fine.
      • by AusIV (950840)
        You are severely exaggerating. I'm no windows fan, in fact I highly encourage my friends and family to try Ubuntu, and use it on one of my computers. My laptop runs Windows because there are a few apps I like having. When I have the time I'll set up a dual boot, but for now I use Windows XP.

        The computer I had before my current laptop got incredibly bogged down with viruses that entered the system through a variety of means. Eventually I found it to be unusable, and switched it to Linux. My laptop, however,

        • Re: (Score:2, Insightful)

          by Zwaxy (447665)
          > You are severely exaggerating.

          He isn't. He said that the most certain way of avoiding vulnerabilities is not to be connected to the 'net. That's true, right?

          You said:

          > The computer I had before my current laptop got incredibly bogged down with
          > viruses that entered the system through a variety of means.
          > Eventually I found it to be unusable, and switched it to Linux.

          and then went on to say:

          > Let me reiterate that I have never had a problem with viruses.

          Sounds to me like you have had a pro
      • Admiral Adama? Is that you?
        • He isn't an Admiral anymore now that Pegasus is gone. Lee went back down to Major too.
      • Re: (Score:3, Insightful)

        by Jaseoldboss (650728)
        No, this problem only affects computers with browsers that support ActiveX. That's why W2K3 isn't affected because IE is configured to be virtually "text only"

        Have you seen the 'mitigating factors from the MS advisory? They're hilarious:

        In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to

    • by Foofoobar (318279)
      I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions. Usually the link comes via spam.
      • by Rosyna (80334)
        I've known people to get attacked via this method. Unscrupulous advertising companies have used it to install spyware on several occasions.

        Often times people will exploit it via normal advertisers, or find some exploit on some other software used by a website (the myspace flash exploit) or they'll find an exploit in some software the webserver uses such as phpBB, some dashboard software/configuration manager, or some other easily exploited piece of a webserver (as seen in the WMF exploit). They use one exp
        • by rvw (755107)
          Often times people will exploit it via normal advertisers

          I hadn't realised that this is in fact a very good method. Just buy some add space at Google for office products or computer hardware at attractive but not unreasonably low prices, then create an online store for these products, make a message on the website that the store is offline, et voila! The user is not alarmed, moves on, but the computer is infected.

    • Well, the idea is that you combine the code with a worm that can infect webservers. That way, lots of webpages will have the code, and the odds of an unprotected Windows machine being infected increase rather substantially.
    • It's not as low as you might think. All it takes is somebody to insert exploit code into a banner advertisement on a major online ad network and sites that you trust all of a sudden become malicious.
    • by jamesh (87723)
      Actually, all it would take is for a TFA linked from a slashdot article to be exploited (either by a third party or by the submitter such that it didn't become visible until the peak of the slashdot effect).

      Even though nobody RTFA's, many must still click the link (see "slashdot effect") hoping for pictures or something, so this would still work.

      The whole slashdot audience could be wiped out overnight! Oh the humanity!
    • by lseltzer (311306)
      You're right to a great degree. In practice these exploits are not on the sorts of sites that the average user is ever likely to visit. But there is some history, for instance with the WMF bug of almost a year ago, of the exploit being run through ad banner networks that work through 2nd-tier porn sites, wrestling sites, that sort of lowbrow stuff. It happens, but if you typically go to the New York Times and ESPN and the National Georgraphic and Nick.com these exploits will never affect you.

      Two other thin
      • >if you typically go to the New York Times and ESPN and the National Georgraphic and Nick.com these exploits will never affect you.

        Unless the site is compromised by an attacker, or carries ads from an inadequately screened advertiser, or unless the advertiser has been 0wned.

        >Also if you're running a mail program that's been updated since Clinton was President you can't be attacked through HTML e-mail since they all block scripting and ActiveX in mail by default.

        That still leaves the attack vector of m
    • Yeah, I found the data here, just click to read all about the odds of visiting an exploiting site.

      http://12.34.56.78/hacks/exploits/im/a/script/kidd ie/boom.html [12.34.56.78]
    • > Does anyone actually know anyone that has been affected by any of these exploits?

      Many of the people getting infected don't know it. But don't tell me you have never heard of infected Windows machine? Or do you assume they all got ir from e-mail?

      > Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

      So, you think only a few people will surf on pornsites or websites that have been hacked?
    • Most affected users probably don't know that they're infected. Their machine is simply turned into a zombie without their knowing it.
    • I have a friends machine here - I've identified 110 viruses and items of malware on it so far. Something has screwed with the drivers sufficiently that it keeps rebooting, even in safe mode. Since they are running a pirated version of windows XP and they don't have the CDs it's a challenge finding a way to get the machine to sty up long enough to remove errant drivers. As far as I can tell it's all come from promiscuous surfing, and from installing what they describe as "free software". I'm still lookin
  • Darn (Score:2, Funny)

    by blantonl (784786)
    I've been looking at porn all night.. it is saturday you now!.... jeeze.. I better start scanning my machine now (or stop looking at porn) .... (or reload my machine).
  • "Trusted" Websites (Score:3, Insightful)

    by TheStonepedo (885845) on Saturday November 04, 2006 @11:54PM (#16721773) Homepage Journal
    For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree. There are settings in IE which decide which goodies [javascript, (un)signed activex controls, etc.) can be run from which websites. When installing Server 2003, just about everything is out-of-bounds in the default IE. If Microsoft would advocate such tight controls by default on all Windows distributions, or even publish its own list of trusted 3rd-party sites, risks could be reduced. The malicious folks who take advantage of zero day exploits tend to be in the seedier parts of the tubes anyway.
    • Re: (Score:3, Insightful)

      by 0racle (667029)
      And if MS published such a whitelist so many of Slashdots readers would get up in arms about leveraging their monopoly and various other terms they don't really understand. That said, it really isn't Microsofts place or duty to police the internet and say what is and is not safe.
      • It's also not their duty to tell me what content I can watch and which one I cannot...
        • by GIL_Dude (850471)
          That's true, but so is the statement that "it isn't their duty to take the trash out for you.", however I don't see your point. If you are trying to send a barb at DRM, it doesn't tell you what you can watch and what you can't. It limits how you can watch it and might make you buy it again to shift format (which sucks and all that - I am against DRM). However, you really aren't making a point by saying they are telling you what you can and can't watch - that is what the government and FCC do.
          • Well, it also has the power to tell me what I can watch and what I cannot. If a certain movie is not deemed "appropriate" in my country, I'm out of luck. If a certain content is deemed "secret", you cannot show it to others.

            Has anyone ever considered the implications of DRM for whistleblowing? Leaked information has more than once been the first and only warning that something is running very wrong. This can be put to an end very efficiently with DRM.

            You can in theory even retroactively nullify information.
      • by v1 (525388)
        My take on it is, if MS wants to protect the people, why is it blocking the harmful web sites?

        Isn't it a bit like disbanding the police force and trying to get guns outlawed?

        The web sites aren't the problem. They are doing exactly what you'd expect them to do in a random free society, they are taking advantage of suckers. And in this case, windows is a big dum-dum pop. The problem has to be solved on the computers, not on the web sites.

        I suppose another way to look at it would be for you to take all that
    • by springbox (853816)
      These sorts of problems seem to happen frequently with IE. Making a default white list to add to "trusted sites" is just a band aid. Microsoft could solve the problem by fixing the holes in the browser that let such exploits through. If IE7 is any indication though, I'd be surprised if MS was interested in actually fixing it at this point.
      • The problem is as it always was: ActiveX. MS can't block ActiveX because any product that uses IE as the front end with ActiveX controls is suddenly broken. *Lots* of corporate web-based programs employ ActiveX controls. Everything from Flash to Acrobat Reader to Windows Update uses ActiveX.

        A best-case scenario would be to allow Administrators to blanket-block All ActiveX controls except for a select few. You can actually do this with the IE Admin Kit and Group Policy, but it is exceptionally difficult
  • Or is it only via IE.

    What other ways can this exploit be triggered?

    • by Shados (741919)
      Its the forever plague of the ActiveX vulnerabilities (though semi-indirectly in this case). So Firefox is safe. Anything that uses XMLHTTP control in a way that it could get arbitrairy inputs is vulnerable.. In other words, Internet Explorer, anything that uses MSHTML straight to connect to random web sites (its safe if its only trusted web sites), so that includes Outlook, etc. Thats about it. But thats too much for my taste.
      • So, am i right in saying that IE7, the new browser that was supposed to be really secure and reliable has now got its second major security flaw since its release only a matter of weeks ago.
        • by Shados (741919) on Sunday November 05, 2006 @12:37AM (#16722023)
          Yes and no. This flaw is specific to XMLHTTP, which is kind of developed independantly. You also can use XMLHTTP without using IE at all, thats why I say its independant. Its probably a buffer overflow, and not much to do about it in this case. So yes IE7 has a flaw, but there really isn't anything they could do in the current context. -HOWEVER-, while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing. The sandboxed IE7 is on Vista only, and I'm pretty damn sure this vulnerability is not an issue there. Anyway, so its more semantic here, but you could say "yes, IE7 has a vulnerability". however, its a little bit like if there was a vulnerability in KDELIB across the board...obviously that would touch Konqueror, no matter how secure Konquerer itself is... Can't excuse that one though. IE7 on XP is far, far from secure. More secure, but not secure.
          • by baadger (764884)

            ...while IE7 is more secure than IE6 in a million ways, the WinXP version is nothing but a shadow of the real thing.

            Mark of SysInternal's posted an interesting entry on his blog back in March, Running as Limited User - the Easy Way [sysinternals.com] (it's at the bottom of the page, I couldn't find a working direct link), which describes just how easy it is, with the help the SysInternals free psexec utility [sysinternals.com] to drop essentially all Administrator privileges when running IE.

            It isn't a complete solution, Protected Mode probabl

        • Re: (Score:3, Informative)

          by uhlume (597871)
          Only by virtue of Microsoft's attempt to provide backward compatability for AJAX sites developed for older versions of IE.

          Prior to IE7, the XMLHTTP object, used to retrieve data from external sources without full-page reloads, was provided by an external ActiveX control. With IE7, Microsoft has implemented XMLHTTP natively in-browser, rendering the ActiveX control unneccesary -- however, it's still possible for older sites which haven't yet been rewritten to take advantage of native XMLHTTP support to load
          • by cnettel (836611)
            I was under the impression that the same MSXML code is still used under the hood (any JScript object in IE is a COM/ActiveX object, you just create them or get references to them in different ways), so depending on the actual exploit, I wouldn't be so sure that your bandaid will solve it. It should solve it for IE6SP2, though, but at the cost of disabling all AJAX.
  • Oh good... (Score:1, Troll)

    by Duncan3 (10537)
    "all Microsoft based operating systems except Windows 2003"

    Glad nobody I know is vulnerable to this. Everyone is OSX, Linux, or Win2003 for a long time now.
    • by Shados (741919)
      Its sad when you think that Windows 2003 is a better desktop OS than Windows XP...a bit pricey for a desktop, too =P
      • by Duncan3 (10537)
        It is when you can run as non-admin and have it mean something.

        3 years and zero virii, trojans, etc on any of the Win machines.
        • by Shados (741919)
          That probably comes with good usage more than just the OS though. I've ran NT4, 2k, and XP for about 9 years over (I think thats right?), and didn't get even as much as a spyware on any of those, without any permanent scanners (I scan like once every 6 months or so). But the whole running in non-admin and mean something thing does sound cool.
    • by makomk (752139)
      Of course, if they've modified Internet Explorer settings to the point where modern "Web 2.0" sites actually work in Internet Explorer, Windows Server 2003 users are probably vulnerable too...
  • What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

    Is that so much to ask for, of ANY browser?

    • Well, you could always run a browser in a virtual machine and not allow it to save state. Alternatively, it is quite easy to write a systrace policy that prevents writing to any files that are not in the cache directory (and optionally a downloads directory), and doesn't permit it to read any files other than its dependent libraries.
      • by daveb (4522)
        A full virtual machine (as in vmware or virtual-pc) is a tad over the top but you're right.

        I don't use it much - but sandboxie impressed me a few months ago for running IE (or anything) in a semi-virtualised environment

    • program ... go out to the Internet ... no way to change anything on my computer

      I guess that you don't see any value in bookmarking or in caching for performance.

      Actually, there is something close to what you are describing. It is called a Linux live CD with firefox on it such as knoppix.

      • Actually, it might make sense to take the caching functions out of the web browser, maybe even out of client machines entirely, in favor of network appliances. That would allow you to have very secure, locked-down browsers, while still doing caching.

        I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy. I suppose it's because it would be too hard to explain to a lot of people (the kind of people who don't grok th
        • by jesser (77961)
          It makes more sense to give a web browser write access only to a small part of the file system than to force an entirely separate device to have a hard drive, IMO.
          • by zCyl (14362)

            It makes more sense to give a web browser write access only to a small part of the file system than to force an entirely separate device to have a hard drive, IMO.

            That's a reasonably clever idea. It could be applied more generally too. A wide variety of user apps could be restricted to only have write access to specified directories. With judicious use of symbolic links, this could even be made painless for the user.

            This is essentially already done with a lot of server software, by running it as a dedica

        • by asuffield (111848)

          I've always been surprised that Linksys or one of the other network-box companies hasn't put together an easy to use "web accellerator" caching proxy.

          If there's one thing that people should have learned from the last 10 years of end-user non-entertainment consumer computer products, it's this:

          No significant numbers of people will buy your product unless it will save them money or they think they cannot live without it.

          People will pay through the nose for entertainment stuff (games, etc), but for anything el

    • WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

      If you are visiting the seedier part of town and want some protection, may I interest you in a live CD?

      I've used live CD's while on the road and had to use a hotel internet connection. Who knows what could be in the middle there. I fired up Ubuntu as a live CD and hit the web. Stayed away from e-mail and any finance sites while on the road. It was fine for checking mountain pass conditions for travel and entertainment via youtube and other sites.

      At the end
    • by vtcodger (957785)
      ***What is so hard about the concept of a program that can go out to the Internet, look at what is there and renders it for me. WITH NO WAY TO CHANGE ANYTHING ON MY COMPUTER.

      Is that so much to ask for, of ANY browser?***

      Apparently it is. Web site designers are absolutely certain that you need a gazillion goodies and stand ready to deliver them whether YOU (or I) want them or not. With a few exceptions -- The Google home page- renders usably in just about any browser ever written and does not depend on

    • by nikster (462799)
      The browser needs to run in a sandbox that it can't get out of. Then the only exploits would be ones that get you out of the sandbox and presumably could be closed easily. That's the only security concept that can work because the number of attack vectors is minimized.

      Otherwise - rendering libraries have bugs, can be made to overflow etc. So even a look-don't-touch kind of browser would be vulnerable.

      I find it pretty convenient to be able to download stuff, including installers. In fact, I couldn't really i
  • and I write buggy software. I am by no means a MS basher, but the security advisory that they have put out reads like an endless stream of lame excuses.

    It may very well be that stupid users or badly configured systems allow these exploits to thrive but FFS Microsoft just admit that you are actually at least partially to blame.

    As long as they fail to realise that they are not gods and do actually write buggy software, what hope is there that they will ever succeed in producing something secure?
    • by Mia'cova (691309)
      I think every single developer at Microsoft understands that no code is perfect and there will be vulnerabilities. The vast majority of these exploits are still showing up in old legacy code and not the new stuff. Plus, they know that there will, at some point, be a new wave of vulnerabilities like when XSS became popularized and much of the new "more secure than ever" code will be just as vulnerable to those kinds of attacks as anyone else's code. You say they fail to realize that they won't catch everythi
  • Internet Explorer 6/7
    Well that's what they get for not updating and running Internet Explorer 6/7! It's not even version 1.0!
  • You want news? Now this would be news:

    REDMOND - NOV 23, 2006
    Microsoft is proud to announce that for the second day in a row, now 0-day exploits were discovered in its flagship Microsoft Operating System.
    • by shird (566377)
      By definition, an exploit that is 'discovered' is '0-day'. You can't 'discover' a 0-day exploit. You discover an exploit, and the day that you publish it is the 0-th day of that exploit being known.
  • This flaw does not affect Vista users thanks to IE 7's Protected Mode [microsoft.com] feature.
  • "... all Microsoft based operating systems except Windows 2003."

    So a box running Windows 95 or DOS is at risk then?

    I'm not sure which is more irritating - that the summary uses the above phrase that is not in the article, or that they article doesn't explicitly say which OS/browser versions are affected (and you'd have to go digging around to find whether you are using "XMLHTTP 4.0 ActiveX Control, part of Microsoft XML Core Services 4.0".

    I suppose the most irritating thing for a Windows user is that this i
    • by David_W (35680)
      So a box running Windows 95 or DOS is at risk then?

      No, you just aren't thinking like Microsoft. Those OSes are no longer supported, so in their eyes, they don't exist.

  • by flyingfsck (986395) on Sunday November 05, 2006 @03:40AM (#16722879)
    From Secunia, the vulnerable versions are:
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows 2000 Datacenter Server
    Microsoft Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows Server 2003 Datacenter Edition
    Microsoft Windows Server 2003 Enterprise Edition
    Microsoft Windows Server 2003 Standard Edition
    Microsoft Windows Server 2003 Web Edition
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Professional
    • Windows 2003 comes with IE in "security enhanced" mode, which basically means that virtually everything (javascript, activex, etc.) is turned off for all but the built in trusted sites, of which there is only one by default: windowsupdate. So, with the default config, Windows 2003 is *not* affected.

      In other words, the admin would have to go out of his or her way to make sure that Win2k3 Server was affected by this, not to mention the fact that they would have to browse the web on a freaking server, which us
  • Buffer overflow again? we programmers should run a petition for Microsoft to stop using C for their products :-).

    On a more serious note, I am using Firefox and Thunderbird, so it is highly unlikely that I am affected by the vulnerability. Open source wins again!
  • XP 64 is actually a non-server build of 2003 (NT 5.2), not XP (NT 5.1). I can't tell whether XP 64 is affected, because Microsoft just says this:

    "Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. Customers would need to visit an attacker's Web site to be at risk. We will continue to investigate these public reports."

    I'm on XP 64 SP1, equivalent to 2003 SP1.

    Melissa
    • by cnettel (836611)
      I was wondering the same thing, but I think your quote makes it quite clear. The enhanced configuration is basically an IE which won't allow scripts, won't allow ActiveX and by consequence won't be affected. It's fully possible to turn off that protection in Windows 2003, and the default in XP64, being a client operating system, is the normal client settings. Hence, we would be vulnerable. OTOH, when you are running the 64-bit build of IE, I would suppose that the existing exploits won't work. As the stack
  • Use psexec to protect your system from your browser.
    http://download.sysinternals.com/Files/PsExec.zip [sysinternals.com]

    C:\utl\psexec.exe -dl "C:\Program Files\firefox\firefox.exe"
    or
    C:\utl\psexec.exe -dl "C:\Program Files\Internet Explorer\iexplore.exe"

  • No, really?

    Tell me it isn't so.

     
  • There's still people using IE instead of Firefox?!? Serves them right then, dummies! Back of the class!

Never invest your money in anything that eats or needs repainting. -- Billy Rose

Working...