Zero-Day Team Launches with Emergency IE Patch 157
Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."
Microsoft would have fixed this in 3 days (Score:5, Insightful)
Re: (Score:1)
This just in... (Score:1)
Re: (Score:1, Insightful)
Spyware Thursday (Score:3, Insightful)
The majority of exploits could be stopped if Windows users switched to Firefox. However, getting Joe User to switch from IE to firefox is difficult, especially when he percieves no problems with IE. The majority of exploits in the wild today hide themselves from the user, and turn their machine into a Zombie node without their knowledge. Because Joe User doesnt know anything is wrong with his computer, he keeps using his unpatched IE and helps spread the exploit even further.
Yahma
Try http://www.blastproxy.com/ [blastproxy.com] for a fast, free and anonymous proxy to bypass firewalls at work & school
Try http://www.mortgagetricks.info/ [mortgagetricks.info] for free tips, tricks and advice on how to get a low mortgage rate.
Re: (Score:2)
The majority of exploits could be stopped if Windows users switched to Firefox.
This would also have the added effect of reducing the number of Slashdot posts villifying IE.
Re: (Score:1, Funny)
Re: (Score:3, Insightful)
However, you correctly identified what the real problem is: Uneducated users. Once someone gives them a good talking to, they usually see the light. It's just hard (impossible) to reach all of the uninitiated noobs out there.
One word: AdBlock. (Score:5, Informative)
Okay, so it's not really a 'feature' of Firefox per se. But it's one of those things that even relatively ignorant users can grasp and realize the value of, and once you start using, there's really no going back. And it's so easy to install on FF, you can kind of sell it as a package deal.
Set your mom/dad/grandmother/coworker up with Firefox+AdBlock+Filterset.G, and between the tabs and the lack of advertising, you'll probably have gotten a convert for life.
The only problem is that in many cases it's not quite practical to throw away IE completely; there are too many online banks and other systems which count on it's braindead idiosyncrasies.
Re:Or Get them a Mac (Score:2)
Of course, I'd try to lessen the shock by installing Firefox for OS X for them.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Re:Spyware Thursday (Score:4, Insightful)
Never seen that happen. They don't want the "good talking to". They just want their stuff to work the way they are used to seeing it.
Changing from MSIE to Firefox means you have to re-learn how to navigate around the browser. My wife went from Linux/Firefox to Apple/Safari and after a month she's bothered to figure out how to save bookmarks. She doesn't care about tabbed browsing settings or anything else. I think she's fairly typical in that she uses
I cite this as one example of many.
Not everyone is in love with their computer.
The conversion of my family hasn't been because of a good talking to. It's been because I simply won't allow a Windows machine in the house. They've learned how to use Linux and Apple nicely enough and in some cases prefer to do their school work on Linux/Apple.
Re:Spyware Thursday (Score:5, Insightful)
There is no superior technology or anything that would help to make Firefox inherently more secure.
Uh, not quite.
MSIE was rewritten in the mid 1990s so that core modules became an integral part of the Windows OS. It is generally recognized that maintaining a wall between OS and app is good engineering, partly because it avoids many difficult security issues. This is especially true when the application is an interface to the outside world that by nature cannot be secured, like a browser. MS in its wisdom determined that the immediate courtroom benefits of knocking that wall down outweighed the security and maintenance concerns. This was a central part of their defense strategy against lawsuits brought by Netscape and others.
So yes, Firefox's implementation of the available technology is inherently more secure. Firefox preserves the wall between itself and the OS, and is not a superhighway into the core of the OS, the way today's MSIE is.
Re: (Score:2)
I don't know much about IEs architecture, but AFAIK the rendering engine is just a DLL (or a couple of DLLs) that ship with the OS. I don't see why DLLs that ship with the OS should be less secure than DLLs that ship separately.
Admittedly, if some parts of the OS (like built-in applications) use those DLLs they will be automatically affected by any security problems that may show up in the rendering engine. But if you would be able to exc
Re: (Score:2)
What kind of "integral part" is it? Is IE part of the kernel or win32?
How would answering these taxonomic questions advance anyone's understanding of the issues being addressed in this thread? You appear to be substituting a semantic quibble for substance.
I don't see why DLLs that ship with the OS should be less secure than DLLs that ship separately.
It isn't a matter of when the modules ship. It is a concern about appropriately partitioning computer resources so that the impact of any exploitable bug w
Re: (Score:2)
You speak in very abstract terms, and you imply that IE runs differently than a regular user-space library would.
I have implied nothing like that. I have emphatically asserted that this is so.
Re: (Score:2)
Re: (Score:2)
Re: How 2 rip MSIE from Windows (Score:2)
My stated assertion was that MSIE is an integral part of the Windows OS, which means that there is an inherently unsecurable set of portals to the outside world, the browser, that is insufficiently isolated from the OS. So that exploitations of vulnerabilities in the browser can lead to such nasty infections as keyboard loggers, rootkits, and zombie processes (rather than being isolated to just messing up the browser session).
And you are 100% wrong in your assertion. [toadlife]
Good. Now then, M. Toadli
Re: (Score:2)
Re: (Score:2)
Gee, at this point I don't know what to say. I guess it's time to bow out of the conversation with an apology.
I'm so sorry that this conversation has gone the way it has; I apologize to anyone who reads this since it is contributing more to the FUD that seems to always surround any perceived criticism of Microsoft than it adds to the universe of rational discourse. There has ended up being more heat and smoke than light here. Sorry about that.
M. Toadlife, I truly regret that reality doesn't match the vi
Re: (Score:2)
Re: (Score:2)
Thanks for pointing me to WinFLP. I hadn't known of its existence. It might allow some cash registers to continue to function until the hardware fails.
However I don't see your point. WinFLP is not WinXP with some of the DLLs removed; it is an entirely separate OS that is partly based on some of the WinXP source. You can't take WinXP (or any other publically available Win OS) and strip out the MSIE modules and still have a stable OS.
TinyXP - Beast Edition (Score:2)
Re: (Score:2)
You may find that this "OS" which is a stripped version of XP has no IE, has FireFox, and is perfectly stable. It also doesn't phone home for updates etc. Worth a look for "testing" anyway...
Um, thanks but no thanks. From a distance, I find the culture of warez is fascinating. I intend to maintain this distant point of view for at least a few more years...
fud friday .. (Score:2)
Unlike IEXP Firefox is not welded to the OS. It runs in user space and under Linux is locked down to the users home directory. Of course the root cause of 'buffer overflows' ans stack attacks is the defective design of the wintel memory manager.
"The Mozilla guys may offer more frequent patches (which would increase security, but reduce reliability..)"
It might only appear that way because the patche
Re: (Score:2)
I'd rather say the root cause of buffer overflows (etc) is using a language that allows them. It's not like Linux or other OSes would be able to fully prevent bugs that allow the execution of malicious code. At best they eliminate some common cases.
Can you provide an example of a Firefox patch that reduced reliability.
No. But I am pretty sure that if you have a browser that runs on many mill
Re: (Score:2)
Incorrect, remember the phishers and virus writers don't obay the rules. Design a Memory Management Unit [bton.ac.uk] that prevents exploits.
"It's not like Linux or other OSes would be able to fully prevent bugs that allow the execution of malicious code"
Even on the defective wintel design it provides better protection. Combined with the exec-shield [kerneltrap.org] that prevents stack exploits it would be even more secure. The Vista version NX has
Re: (Score:2)
Re: (Score:2)
if they do, direct them to the themes download section or to the useless extentions. that'll get em to switch.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Oh well, at least on the Mac side, Firefox is the approved browser here. Windows users hate it when we tell them that yes, Firefox is supported, if you use a M
Re: (Score:2)
Not really... Months ago, I removed all the IE shortcuts from my g/f's machine and changed the Firefox desktop icon to the one with that big blue "e"... she didn't notice it until last week. Once I got done catching Hell for it and explained to her why I did it, she decided that it worked well enough anyway. I changed the icons back, and she's been using FF ever since. It's not that she'
Re: (Score:2)
Re: (Score:2, Insightful)
Bugs me when people don't care about this. I ask if they will mind when the cops turn up on the doorstep asking about child porn on their computer. OK probably ain't gonna happen but mentioning either that or terrorism can get people's attention.
Yes I know I'm lowering
time better spent elsewhere (Score:3, Insightful)
Re: (Score:2, Insightful)
Their time would be better spent on improving Free Software instead of trying to plug holes of closed-source software. Microsoft does not appreciate help like this.
They don't expect MS to appreciate this, if anything they probably want to embarrass them. They are trying to help the customers who have been abandoned by MS. Of course the value of that is also debatable, but if you RTFA they are concerned about the effects such exploits have on the general Internet populance in terms of SPAM, worm traffic,
Re: (Score:2)
An even simpler solution (Score:2)
I've had to use IE at a training site this week and it's amazing how cumbersome and clunky it is to use since I've become used to using Firefox. Simple things like being able to scroll down a page before it completely loads, right-clicking and opening a new tab (not window) and just overall speed.
The use of Firefox, and other browsers, really needs to be pushed to slow and/or prevent these exploits from compromising peoples systems. It's an easy solution and doesn't require any
Re:An even simpler solution (Score:5, Informative)
I manage several networks
1. Proxy settings. All the users at one site HAVE to go through a proxy server. It's a transparent server, but offers us logging (required by law) and it helps with the overloaded internet connection Set the proxy settings in Firefox, and a user need only go Tools | Options | General | Connection Settings to turn them off. No way to disable the menu, without going in and re-writing the XUL code. IE? Easy, shove a
2. IE Only Sites. There's nothing more than I'd love than to put Firefox and remove IE from people's desktop. In fact, I do at every chance I get. But telling someone that if they come across a site that FF doesn't work with - the site isn't worth it for them, and it turns out their BANKING or STOCK site doesn't work
Re: (Score:3, Interesting)
Worst part is, the sites I had problems with so far while using Firefox were all based on Flash. It seems that IE and FF handle screen coordinates di
Re:An even simpler solution (Score:5, Informative)
IE View & IE Tab (Score:2)
Re:IE View & IE Tab (Score:2)
Re: (Score:2, Interesting)
Re: (Score:3, Interesting)
GPO. Then they can't bypass it because the setting will be re-applied.
Also, you can edit one of firefox files that's just plain text to hide those menu settings. It's been awhile since I've done it, but if you do a search for firefox and kiosk you should find the instructions.
Re:An even simpler solution (Score:4, Informative)
If the .reg file is an adequate solution for IE, then a userChrome.css file that simply sets the relevant preference panel to display: none, and a user.js file to reset the proxy settings at each startup (in case the user knows how to find about:config) should be equally adequate.
Just went to look it up. They of course didn't bother to tag the groupbox with an id ("grandmothers don't need easily modifiable chrome!" - meh, give me SeaMonkey any day of the week), but you can hide the "connection settings" button with the following rule: #catProxiesButton { display: none !important; }
Re: (Score:2)
There are plenty of bank and stock sites out there, and most work fine. Ask them if they'd date someone who wouldn't accept their phonecalls until they switched cellphone providers and joined their "friends plan". If they say they wouldn't, ask them why they accept the same from their bank.
Re: (Score:2)
But even then, the analogy is flawed. A better question would be:
Would you divorce your wife if she decided that you had to switch from Sprint to Cingular, it wouldn't cost you anything
Re: (Score:3, Informative)
My second suggestion would be to set up a transpare
Re: (Score:2, Informative)
'lock firefox proxy settings'
The first hit is this link [ilias.ca]:
Granted it's Mac, but it shows you that Firefox can indeed lock it's proxy settings. And without really delving into the article it looks as if it would be very difficult to override by 'non' geeks.
Re: (Score:2, Interesting)
Firefox plug-in IE View [mozilla.org]
Description: Lets you load pages in IE with a single right-click, or mark certain sites to *always* load in IE. Useful for incompatible pages, or cross-browser testing.
I like the idea that you can tell users, if it doesn't seem to look right, try this...and then have them default the few non-compatible sites to use IE. Trains them that IE is 'different' and Firefox is more standard.
Re: (Score:2)
Unless they are upper management... Then why are they looking at their Banking or Stock sites at work?!
As for upper management... Well... They'll just get IE Tab plug in for Firefox.
Re: (Score:3, Insightful)
Well it clearly isn't a transparent proxy if you have to configure it at the client end.
Anyway, if the proxy is compulsory surely you should block all direct web traffic so that it actually is compulsory!
Re: (Score:2)
Yeah, I wish we could put Open Office and Firefox on all our Windows desktops too. But you can't centrally manage security and configuration of those like you can with MS Office and IE. (Yeah, my customer i
Re: (Score:2)
I posted an Ask Slashdot question
People who write OSS are going to have to learn something extremely valuable. And learn it from Novell. You can fight Microsoft. You will lose.
Re:An even simpler solution (Score:4, Informative)
What you're describing is not a transparent proxy server. It's just a normal proxy server, that has to be configured in the browser. A transparent proxy server is where your firewall hijacks all outbound traffic on port 80 and reroutes it to the proxy server's IP without the browser knowing about it. This would solve your problem.
Another option you may want to look into (it won't help with the issue of users being able to turn it off, but it might make configuration easier) is Web Proxy Automatic Detection (WPAD). Start by making a Proxy Automatic Configuration (PAC) file, which is just a bit of JavaScript code that tells the browser what proxy server to use. For example:
Put this file on an internal web server. Name the file "wpad.dat", and configure the server to give the MIME type as application/x-ns-proxy-autoconfig, for example:
Now, configure your internal DNS server to add a host "wpad" at whatever domain you're using internally to point to your web server, so that http://wpad/wpad.dat [wpad] will return the PAC file you've created.
Finally, to cover all the bases, make it explicit in your DHCP server. Set this global option in dhcpd.conf:
Then add this within your subnet declaration:
Internet Explorer breaks without the trailing \n. I'm not sure if it has to be \n, or if some other character would work better, but this seems to work just fine.
Sounds complicated! But just remember, you only have to do this once. Internet Explorer and Firefox will both respect it automatically, out of the box, with no client-side configuration at all. One caveat: Mac OS X does not currently support WPAD; I'm hoping Apple fixes this in 10.5 "Leopard" next spring, but I haven't seen anything official about it. In the mean time, Mac clients have to set the URL of the PAC file manually. WPAD works in Firefox on Mac, but see bug 327381 if you're running it on a laptop (I don't know if that bug applies to Windows as well).
Re:An even simpler solution (Score:4, Informative)
It's actually pretty easy to disable anything in Firefox/Mozilla.
1. Open Firefox and set the options you want to preconfigure/lock such as the proxy settings.
2. Look in Firefox's config directory for a file called "prefs.js". Under Linux this is in "~/.mozilla/*.default/". Under Windows, this is in "Application Settings\Mozilla\*.default\". On OS X it's in "Library/Mozilla/Firefox/*.default/".
3. Copy the file to lock.js and open it in a text editor.
4. Leave the first line as is (the # line). For any option you want to lock, set "user_pref" to "lockPref". For example:
# this line is required. don't remove
lockPref("network.proxy.ftp", "proxy.somemachine.org");
lockPref("network.proxy.ftp_port", 3128);
lockPref("network.proxy.http", "proxy.somemachine.org");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.ssl", "proxy.somemachine.org");
lockPref("network.proxy.ssl_port", 3128);
5. Download moz-byteshift.pl [knaff.lu] and run it like this:
moz-byteshift.pl -s13 < lock.js > mozilla.cfg
6. Copy the mozilla.cfg file to the root of the Firefox install directory. This is "/usr/lib/firefox/" on most Linux distros, and "c:\windows\Program Files\Mozilla Firefox\" on Windows. On OS X it's in the "Firefox.app" directory.
7. Inside of the Firefox install directory, open the file "greprefs/all.js" and add this line to thee bottom:
pref("general.config.filename", "mozilla.cfg");
The user can no longer change the proxy settings, or any other setting you choose to lock.
This works everywhere and options are identical across platforms (except when they include file paths). The only place I haven't had it work is Ubuntu, which apparently does something to break the feature. The method they provide to provide the functionality does not appear to work (I spent a few days googling and trying everything before just disabling the built-in and installing the official build).
Deploying is easy. All you have to do is copy the greprefs/all.js and mozilla.cfg files to the clients. With WPKG this is trivial. Just make sure only the administrator can write to all.js and mozilla.cfg, also make sure that all users can read the file.
Here, I'll even help you out with WPKG. Just save "mozilla.cfg" and "greprefs/all.js" as a self-extracting file with 7-Zip:
<?xml version="1.0" encoding="UTF-8"?>
<packages>
<package id="firefox_restrictions" name="Firefox restrictions" revision="20060922" reboot="false" priority="1">
<depends package-id="firefox"
<check type="file" condition="exists" path="%PROGRAMFILES%\mozilla.cfg"
<install cmd='%SOFTWARE%\firefox_restrictions\firefox_rest
</package>
</packages>
Any time you need to push new updates out, just change the revision to the current date.
Re: (Score:2)
This is not true. There certainly is a lot of room for improvement in the Firefox configuration settings management, but what you write can be accomplished by using a locked preferences file.
(assuming that your users cannot write in the Program Files directory and you install Firefox using some automatic installation system)
Re: (Score:2)
There is a way to work around that. Here's what I do.
Install the "IE Tab [mozilla.org]" extension. Extensions are fairly easy to deploy with WPKG, but I'm not g
Re: (Score:2)
One thing that does irritate me about FF is that it won't fill-in username and password fields until the page has completely finished loading (at least not in my Windows/1.5.0.7 install). That's a pain when the site is slow, or includes a slow-to-download third part resource (I'm looking at you, google analytics...) - do I start typing now, and risk FF filling in stuff along side it, or just wait?
No, it's not a big problem, but it
Re: (Score:2)
Who didn't see this coming (Score:4, Interesting)
I'm just amazed that it took this long for it to become big news that this kind of thing is going on.
Re: (Score:2)
If they're doing it for prestige then it could be good for them to start releasing about 10 holes (and make MS know abo
Suprised (Score:3, Interesting)
Re: (Score:2)
never taunt happy fun ball (Score:2)
Alternative: Unregister vgx.dll (Score:5, Interesting)
Why must the internet be neutropenic? (Score:3, Interesting)
But it isn't a long-term solution; it still depends on human-speed recognition of the exploit and development of a patch.
What we need is the spread of viruses/worms/trojans whose payload is the removal of malware. Internet antibodies, as it were. The ultimate goal ought to be an antibody - or, to coin a term, an ant.iBody (ant.eBody?) - software that heuristically determines what is malware and what is legitimate software, preventing the former while allowing the latter and propagates itself across the network.
Of course, deploying something like that would break all sorts of computer security laws...but it's not like that stops anything else.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
The machie is dog slow? They don't realise it's a bot, they just assume that the machine is old.
-nB
Re: (Score:2)
Re: (Score:2)
Even if the development of fixes to exploits isn't accelerated, and the heuristic approach fails, having hordes of zombie boxes that are zombies specifically for the purpose of distributing malware fixes has got to be faster than trusting people to consciously patch their own computers.
The beauty of it is, of course, that the very people least likely to notice, care about, remove, or
Re: (Score:2)
Perhaps the way to do this is to do the one thing the black hats are not doing: Get the user's consent to install. Use the same IE exploits, but with consent.
I like the idea of reputable, popular sites offering immunization anitbodies to malware viruses as part of the IE browsing experience. Some people will go ahead and instal
Poor Stew. (Score:5, Funny)
Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."
Very noble of him to volunteer, but we all know what happens in the movies to the character who mistakenly sacrifices themselves to defend the bad guy. At this moment, chairs are flying and the heavy weights at M$ are screaming things like, "This guy is making us look bad! Steve smash!" A much cooler arch villain grins a maniacally at his underling and contemplates co-opting as much of the work as possible before dropping both of them into a pool of red hot magma.
What will the real world fate be for poor Stew? DMCA suit? C&D for trade secret or patent infringement? Who knows! But none of it will really make windoze a place that's safe for your work.
Re: (Score:2)
-Joe
Re: (Score:2)
Re: (Score:2)
As long as they don't call me Stew... I really dislike that.
Sorry, cuts of meat simmering all day on the stove just seemed appropriate. It was not supposed to be insulting. Good luck.
Re: (Score:3, Funny)
Other volunteers involved with the ZERT initiative include
* Halvar Flake, CEO and head of research at Sabre Security;
* Ilfak Guilfanov, author of the IDA Pro binary analysis tool;
* Paul Vixie, founder of the ISC (Internet Software Consortium);
* Roger Thompson, chief technology officer of Exploit Prevention Labs;
* Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) security..
These guys are top-notch. I can't give enough praise to show
The Church of Microsoft (Score:3, Interesting)
Is the industry gullible? (Score:2)
What did MS think when coming up with the idea of "patch Tuesday"? Sure, it's something you can adjust to as an admin, knowing exactly when
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There will alawys be a time difference between a problem being found, a patch being released and finally that patch being applied. Having a single day where most patches will be released allows large sites to properly schedule
Re: (Score:2)
If you examine the monthly load of patches, you will find that it regularly occurs that critical or important patches are released on patch tuesday that have been compiled weeks or even more than a month before.
Now, you would think that would give them some time to test. However, the results of those tests are not used to determine if a patch is going to be released the next
Re: (Score:2, Insightful)
Re: (Score:2)
works for mozilla (Score:2)
Re: (Score:2)
I love corporate america.
How they recruit for zero day team (Score:1)
We're not that interested in your l33t h4x0r skillz. How good are you at time travel?
A demonstration? Sure. No, you dont have to take your clothes off now, that's only in Terminator; it's just a movie. Put them back on now. I said put them back on. I know it's cold in here. And the physical takes place when you're actually hired. Next please.
Open Source? (Score:1)
Now it appears to me that this is an open source solution to a proprietary problem. Isn't this what the OSS crowd has said all along - that the OSS side gets patches out in a much more timely manner? Also, does anybody know what license is being attached to these patches?
MS can do it as fast as these little twerps (Score:3, Insightful)
But they dont want to. There are thousands and thousands of sites that have hacked up code to step around the bugs in IE. They all will break if they lost back ward compatibility to these harebrained hacks that depend on the bugs in IE. MSFT considers it a big loss of face if more sites work in FF than in IE. If they fix all their bugs and holes in IE, more sites will work in Opera and FF than in IE. That is a big no no. That is why they tread cautiously making sure they fix the hole, just that hole, and nothing but that hole, and fix it just enough, so that most of the other hacks can continue to work. That is why they are so slow in responding. That is why the fix has to be fixed and fixed again.
I don't care, this doesn't matter. (Score:2)
philters (Score:2)
The patch can be downloaded..... (Score:4, Funny)
www.getfirefox.com
www.opera.com
Meh. (Score:2)
There's a better solution to all these problems. Properly implemented QoS on ISPs and Servers so that the extra bandwidth usage generated by this crap doesn't prevent those of us running secure systems (Windows on a tight-ship, Linux or OS X) don't get hosed by the unwashed masses.
The vast majority of malware traffic isn't 0-day; it's ancient stuff running on older unpatched systems. As long as they don't bump us off the interwebs, I don't see why I should care.
Patching & Cleanup are a poor solu