New Zero-Day Vulnerability In Windows

Jimmy T writes "Microsoft and Secunia are warning about the discovery of a new 'Zero-day' vulnerability affecting all Microsoft based operating systems except Windows 2003. Both companies states that the vulnerability is currently being exploited by malicious websites. One attack vector is through Internet Explorer 6/7 — so be aware where you surf to."

Just curious

[realmolo]

Seems there is always a new "zero day" exploit for Windows. Most times, the exploit can be activated simply by visiting a webpage that has been crafted to take advantage of it.

Does anyone actually know anyone that has been affected by any of these exploits? Seems to me that the odds of actually visiting a site that "runs" the exploit is incredibly low.

"Trusted" Websites

[TheStonepedo]

For all of the shortcomings of IE, Microsoft does attempt to cover its ass to some degree. There are settings in IE which decide which goodies [javascript, (un)signed activex controls, etc.) can be run from which websites. When installing Server 2003, just about everything is out-of-bounds in the default IE. If Microsoft would advocate such tight controls by default on all Windows distributions, or even publish its own list of trusted 3rd-party sites, risks could be reduced. The malicious folks who take advantage of zero day exploits tend to be in the seedier parts of the tubes anyway.

Re:Just curious

[Opportunist]

The odds depend entirely on you.

The attack vector is a link to the bogus page. Now, how do you get a link to a user and make him click? Usually this is done either by email (click here for big boobs or fat cash) or on a webpage (same).

In the meantime, you can also have it on a banner, where the one wanting to infect you buys ad space on a ... let's say less prestigious page of our beloved web. Usually also pages that promise big boobs, fat cash or free software.

Well, technically, you get free software...

Re:"Trusted" Websites

[0racle]

And if MS published such a whitelist so many of Slashdots readers would get up in arms about leveraging their monopoly and various other terms they don't really understand. That said, it really isn't Microsofts place or duty to police the internet and say what is and is not safe.

Re:The best solution

[Zwaxy]

> You are severely exaggerating.

He isn't. He said that the most certain way of avoiding vulnerabilities is not to be connected to the 'net. That's true, right?

You said:

> The computer I had before my current laptop got incredibly bogged down with
> viruses that entered the system through a variety of means.
> Eventually I found it to be unusable, and switched it to Linux.

and then went on to say:

> Let me reiterate that I have never had a problem with viruses.

Sounds to me like you have had a problem with viruses; so much so that you found they made your computer unusable.

Re:The best solution

[Jaseoldboss]

No, this problem only affects computers with browsers that support ActiveX. That's why W2K3 isn't affected because IE is configured to be virtually "text only"

Have you seen the 'mitigating factors from the MS advisory? They're hilarious:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Ahh, easy. Don't click links on the web then.

An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

That's good, the first thing Aunt Nelly does with her new PC is set up a LUA account.

The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

Put malicious sites in the Restricted Zone first, good advice - can we have a list of them please? Before anyone suggests turning off Active Scripting, that causes IE to display a warning message box every time you visit a site with Flash, making it unusable.

A much better mitigating factor would be that over 10% of users can't run ActiveX because they are using Firefox or Linux.