IE security holes spread spyware/adware

[Nothinman]

Ah, but what percent are, say, apache on linux 2.4? on linux 2.2? on win32? on solaris? on other *nixes? A successful exploit would likely only run on just a subset of all apache servers out there.

So? Mozilla is in the same spot.

You know that for a fact?

Of course not, but if he can speculate, so can I.

 

[ArmchairAthlete]

Set Windows Update to automatically DL updates and don't do anything stupid and you should be fine.

Spyware/adware writers are (obviously) going to target a browser that most of internet users taken as a whole use.


EDIT: I don't have Spyware problems on IE. Scans prove it...

 

[drag]

Originally posted by: Nothinman

Ah, but what percent are, say, apache on linux 2.4? on linux 2.2? on win32? on solaris? on other *nixes? A successful exploit would likely only run on just a subset of all apache servers out there.

So? Mozilla is in the same spot.

It's a impossible arguement to sustain. MS software may be a bigger target, but it's the only target that gets hits over and over and over and over again. No other OS, no other peice of software gets exploited and causes users as much problems as IE.

The fact of the matter is that no one is able to prove a direct correlations between software popularity and vunerability.

It's impossible, because we are working with a sample size of ONE.

1. Browser gets new vunerabilities on a month by month basis.
1. Browser is 90+ percent of the market.

Coincidence? Who knows? How can you tell?

Fact is that for whatever reason, If you use IE the world wide web is a minefeild, and if you Firefox you don't have to worry about it that much.

Ironicly the number one threat against using firefox in windows is that a exploit can possibly run a program using Internet Explorer.

You know that for a fact?

Of course not, but if he can speculate, so can I.

Well for the developement of Win9x we can probably agree that it was a fact. 😛

Well see how much MS's new concitration on security pays off in 3-4 years when the next generation of MS software based on Longhorn gets commonplace.

Set Windows Update to automatically DL updates and don't do anything stupid and you should be fine.

Spyware/adware writers are (obviously) going to target a browser that most of internet users taken as a whole use.


EDIT: I don't have Spyware problems on IE. Scans prove it...

I don't have much of a problem either, right now I am using Win95 and IE (it's either this or nothing) and I do most my posts from it. But I haven't had a problem, then again I only visit websites that I trust and sit behind a proxy.

At home I use Firefox, obviously.

However most people are not capable of being as web-savy as us. Right now I can have a 10 year old use Firefox with impunity and not have to worry about anything. (except if they download something and run it inside windows, of course.)

 

[EeyoreX]

Maybe I am missing something, but I don't see how it matters if the "internals" of the browsers are different. So? Now everyone just has to write the viruses, etc differently

Are you a programmer? The internals are what's being exploited, all of the 'IE exploits' are really MSHTML exploits that could affect OE, Outlook, MS Help viewer and anything else that uses MSHTML to render HTML. Imagine for a second if the IE team actually used C++ strings and checked buffer sizes before copying data around, 2/3 of their exploits would have never happened. I havn't personally examined the code but I'm sure someone has ran something like the Stanford checker over Gecko by now.

No. I am not a programmer. But I still think my basic point is the same. And it is this: If someone can program it, someone else can write a hack/virus/exploit/whatever you want to call it. So, Micosofts products are vulnerable because multiple products use the same code. Okay. That still doesn't alter the basic premis I have that if everyone were using firefos then the hackers et al would just need to write viruses/exploits/etc to take advantage of any problems in it's code.

I'm not sure how a nightly build will help. Not everyone is going to install their Mozilla browser nightly. And if they did that defeats the first insult of the post: "If you're tired of patching the 'Security Hole of the Day'". Seems to me installing a nightly build is the same thing as a patch of the day. I doubt nightly builds will happen forever with any software.

Have you even worked in/near a development project? Nightly builds happen automatically no matter what so the QA team can test them, but if a bug fix is checked in one night you can be sure that the next nightly build has that fix and you can use it whether an official build is put out. It's not a perfect solution, but it's more than MS gives you.

I am understanding how the nightly builds help develop the product (ie QA team). That makes perfect sense to me. The point that you seemed to have helped me with is that the next nightly build will have a fix that was posted the previous day. This does not answer my question as to how this is all that different than with IE. I admit IE does not have fixes available nightly. Since I contend that many of the problems with IE also lay with the fact that a huge majority of IE users either do not (out of laziness) or simply are unaware of how or that they should patch. Check for IE patches and install them when available. Seems to me you are saying the same thing. Check for nightly builds and fixes of reported bugs, and get the new fixes. How is this fundamentally different? The joke about IEs/MSs "patch of the day" seems pretty lame when you say that a nightly build of Mozilla will fix the problem. Again, I understand this is for the QA people or people like you are are interested in securing your PC. The same kind of person that doesn't update IE for whatever reason, is not going to update any other browser either. I also understand having the fixes available nightly is better than what MS does with its weekly or monthly fixes. My point being that assuming I am at least somewhat correct (and looking at blaster, sasser, nimda, etc - I am) that people do not patch weekly or monthly and certainly not daily.

And the bottom line is that most all big worms/viruses that are spread by IE all have patches available before the viruses hit.

And most drunk drivers survive car accidents, does that mean you shouldn't care about driving drunk?

So you are implying I am a drunk driver? That is a bad analogy. I am more like the drunk who has chosen to get drunk and then take a cab home. Sure, I suppose I can still possibly be responsible for causing someone else to die in some accident. I mean, one I squeeze my hand through the little payment window and somehow take control of the cab. If I were using an unpatched version that would be appropriate. My patched IE isn't going to install spyware or spread viruses to someone elses computer.

Another part is Microsoft's, lets just say, "not the best" method of making these patches known for people who don't know better.

The bigger part is Microsoft's, lets just say, "screw code inspection, if it compiles consider it good enough".

It's these type of statements that make me think crusade. At least I am willing to acknowledge the shortcomings/flaws/problems with the browser I choose. It seems to me that many people are unwilling to admit that even the potential for problems exist with "their" choice browser.

I am in no way denying that IE, when run unpatched, does have security holes. I am responding to people who think that Firebird/Mozilla/Opera/etc are the perfect foolproof "we have NO security problems whatsoever" people. I still contend that if/when they are being used by over 90% of the computing population they will have problems too. You keep telling yourself they won't. You people can say I am spreading FUD. You are just peddling wishful thinking and hope. Until you can prove to me this won't happen, statistically and logically speaking, I am right.

Look at historical evidence.

I am. This type of security was not a big problem with IE when IE was one year old either. Or when it's market share was in the single digits. Funny thing happened after it became the dominant global browser for several years. Then the sh!t hit the fan and things have only gotten worse. It continues to vex me that people don't/can't/won't see this. Or maybe they do and don't want to admit it it may happen to "their" browser too one day.

\Dan

 

[Nothinman]

No. I am not a programmer. But I still think my basic point is the same. And it is this: If someone can program it, someone else can write a hack/virus/exploit/whatever you want to call it. So, Micosofts products are vulnerable because multiple products use the same code. Okay. That still doesn't alter the basic premis I have that if everyone were using firefos then the hackers et al would just need to write viruses/exploits/etc to take advantage of any problems in it's code.

The basic premis is true, but you have to consider the product itself as well. Noone but MS developers get to see the code for MSHTML so we can't really judge their code, but Gecko is out in the open for everyone to see. In any project a basic buffer overflow can be avoided or atleast have the damage minimized with some basic coding techniques like using real string libraries and basic sanity checks before copying buffers, it's obvious MS doesn't do this anywhere near as often as they should. Almost all of their problems have been with buffer overflows in the RPC subsystem, MSHTML, IIS, etc. I for one think they're pusing for .NET so much because they want to use it internally because it'll stop most of their buffer overflow problems since 'safe' .NET languages are much stronger typed and come with safer string libraries.

I am understanding how the nightly builds help develop the product (ie QA team). That makes perfect sense to me. The point that you seemed to have helped me with is that the next nightly build will have a fix that was posted the previous day. This does not answer my question as to how this is all that different than with IE

It's different because with IE there are no available nightly builds, they're all internal to MS only.

Check for IE patches and install them when available

Ephasis mine. You have to wait for MS to develop, QA and regression test each patch before it's available. With using a Mozilla nightly there's a little more risk that the build might be unstable since it's a development tree but atleast it's something and you can grab the next nights if it's so unstable that you can't take it.

Since I contend that many of the problems with IE also lay with the fact that a huge majority of IE users either do not (out of laziness) or simply are unaware of how or that they should patch

That's definately part of it, but I still feel that MS is doing an extremely poor job with their products from a security standpoint. Buffer overflows should be easily avoided and yet we see them day after day and I know not just from MS.

It's these type of statements that make me think crusade. At least I am willing to acknowledge the shortcomings/flaws/problems with the browser I choose. It seems to me that many people are unwilling to admit that even the potential for problems exist with "their" choice browser.

Think what you will, I just got tired of dealing with MS' crap all the time. I worked on a helpdesk for a few years and after you do that you a good understanding for just how poor all software in general is, even that which comes from MS. Everyone keeps saying "Is Linux ready for prime time?" and I keep thinking "Hell, MS software isn't ready for prime time" because of all the incredibly stupid things that come up. I would be willing to acknowledge any security shortcomings of Gecko if I knew of any off hand, but when was the last security bulletin for it?

This type of security was not a big problem with IE when IE was one year old either

IE at 1 year supported pretty much only font changes, pictures and tables and maybe frames. In the years it's gotten magnitudes more complex even though it doesn't support all the W3C standards fully. And back in those days the Internet was a lot smaller and a lot friendlier, do you remember seeing security patches for Netscape 4.x every few weeks back then?

Then the sh!t hit the fan and things have only gotten worse. It continues to vex me that people don't/can't/won't see this. Or maybe they do and don't want to admit it it may happen to "their" browser too one day.

The funny thing is that products like bind and sendmail which have a bad reputation in the unix/OSS world still have better recent track records than IE. You would think that since bind, sendmail and apache are the foundation of the Internet that we would see people going after them more, especially since the code is open.

 

[Gurck]

I hate the bloated looks of all other programs. IE can be simple and sleek, thats why I use it.

I felt the same way... have a look at Firefox, it's even simpler and sleeker. Added bonuses are people don't bend over backwards trying to exploit it and it's not tied into your OS.

 

[CTho9305]

Originally posted by: drag
However most people are not capable of being as web-savy as us. Right now I can have a 10 year old use Firefox with impunity and not have to worry about anything. (except if they download something and run it inside windows, of course.)

Careful, spyware makers are starting to provide XPI installers. Either use one of the browsers with XPI whitelisting (not sure which have it right now), or find a way to restrict them (or teach user to click no).

 

[rh71]

Since I'm in I.T., it's not a hassle for me to patch. I work with the machine everyday - don't you ????

I'm always up to date and I've never had a virus/bug/etc. except when I ran IIS on my home machine. They threw random files on my machine then, but that was it.

I don't mind IE at all. I have Firefox installed and I keep going back to IE.

 

[drag]

Originally posted by: CTho9305

Originally posted by: drag
However most people are not capable of being as web-savy as us. Right now I can have a 10 year old use Firefox with impunity and not have to worry about anything. (except if they download something and run it inside windows, of course.)

Careful, spyware makers are starting to provide XPI installers. Either use one of the browsers with XPI whitelisting (not sure which have it right now), or find a way to restrict them (or teach user to click no).

Well, that's a potential problem, but it's not any worse then being prompted to download and run any other executable binary. They haven't gotten around the:
"A Web site is requesting permission to install the following item (Unsigned):" "Malicious software can damage your computer or violate your privacy. You should only install software from sources that you trust."
Warning have they?

It's the same risk any other download for a *.exe file. Like if you have a javascript redirect using a download link for a binary file.

Stuff like that is why I, using windows, would be sure to still have Adaware, Anti virus stuff + freinds, even if I used Firefox in it.

I figure eventually that even stuff like Linux will start getting more and more nasty stuff, but it will be a while and I don't think the problem will ever be the same magnitude as Windows problems are now.

(plus I think that firefox in the near future will have XPI whitelists.)

 

[n0cmonkey]

Originally posted by: EeyoreX
I am. This type of security was not a big problem with IE when IE was one year old either. Or when it's market share was in the single digits. Funny thing happened after it became the dominant global browser for several years. Then the sh!t hit the fan and things have only gotten worse. It continues to vex me that people don't/can't/won't see this. Or maybe they do and don't want to admit it it may happen to "their" browser too one day.

\Dan

Check when security started becoming a _BIG_ topic. It's a fairly recent event for most of the Internet. Hell, Microsoft only recently got on the bandwagon, and Linux jumped onboard not too long before that. I bet you will see a pattern. Microsoft gets big. Problems come up. Security becomes a big topic. Microsoft _ignores it_. But that wasn't my point, originally. I just wanted to point out the inconsistancy here. In general, programmers didn't worry about security until fairly recently.

But as far as historical context goes, how does the vulnerability rate of Apache compare to IIS? And please, don't give us the BS of "different platforms" because that isn't an argument. Over all, Apache runs about the same on win32 as it does on Solaris.

I'm not saying it won't happen to mozilla/firefox at all. In fact, I kind of hope it does. 😉

EDIT:

It's these type of statements that make me think crusade.

This isn't a crusade, it's a jihad. Everyone from the virus writers, to the script kiddies, to the hackers that know what they are doing is participating. Microsoft is the crusader, trying to rape and pillage what it can from the world before we wake up.

 

[n0cmonkey]

Originally posted by: Nothinman
The funny thing is that products like bind and sendmail which have a bad reputation in the unix/OSS world still have better recent track records than IE. You would think that since bind, sendmail and apache are the foundation of the Internet that we would see people going after them more, especially since the code is open.

Heh, it is kind of funny to compare IE to one of those. 😛

 

[Nothinman]

But as far as historical context goes, how does the vulnerability rate of Apache compare to IIS? And please, don't give us the BS of "different platforms" because that isn't an argument. Over all, Apache runs about the same on win32 as it does on Solaris.

But the thing is generally an exploit for Apache on Solaris won't work on Apache on Win32 unless it's something like a SQL injection bug in PHP or something. But I guess that's one more reason to use Apache over IIS, more choices on platform. I know I like the fact that my Linux firewall is a sparc64 because the chances of a remote Linux kernel exploit are slim but the chances that there's one that works on sparc64 is even less probable.

 

[drag]

Oh, about the XPInstaller, whitelists, my mythical 10 year old, and spyware in firefox:

Bug tracking system is something else that you don't get with MS

(Openness is a GOOD thing in a software company.)

 

[n0cmonkey]

Originally posted by: Nothinman

But as far as historical context goes, how does the vulnerability rate of Apache compare to IIS? And please, don't give us the BS of "different platforms" because that isn't an argument. Over all, Apache runs about the same on win32 as it does on Solaris.

But the thing is generally an exploit for Apache on Solaris won't work on Apache on Win32 unless it's something like a SQL injection bug in PHP or something. But I guess that's one more reason to use Apache over IIS, more choices on platform. I know I like the fact that my Linux firewall is a sparc64 because the chances of a remote Linux kernel exploit are slim but the chances that there's one that works on sparc64 is even less probable.

But there is a very good chance the vulnerability is still there. It just takes someone with an iq above 2 to exploit it.

The exploits for different platforms are out there. They don't stop at x86. 😉

 

[Nothinman]

But there is a very good chance the vulnerability is still there. It just takes someone with an iq above 2 to exploit it.

Maybe I'm just mentally retarded, but I think it takes more than an IQ of 2 to write shellcode. And I'm not saying they stop at x86, but that they're a lot less frequent for non-x86 instruction sets. And on top of that most non-x86 CPUs support NX in hardware as long as the OS actually uses it.

 

[n0cmonkey]

Originally posted by: Nothinman

But there is a very good chance the vulnerability is still there. It just takes someone with an iq above 2 to exploit it.

Maybe I'm just mentally retarded, but I think it takes more than an IQ of 2 to write shellcode.

You're right. It does. Bad exageration on my part. 🙂

And I'm not saying they stop at x86, but that they're a lot less frequent for non-x86 instruction sets.

Not for big bugs on cross platform software. Non-x86 exploits might be harder for most people to get a hold of, but there are enough of them out there to be worried about it, IMO. 😉

And on top of that most non-x86 CPUs support NX in hardware as long as the OS actually uses it.

Platforms that I am pretty sure have per page execution permissions: sparc4m, sparc4u, amd64, alpha. PPC only has it in the high end models, and i386/x86 will support it RSN.

And which OSes really do? OpenBSD. Linux has some patches for it (but PaX still isn't in the vanilla kernel :|). I'm sure FreeBSD/NetBSD will support it soon if they don't already. sp2 is supposed to support it for XP. Solaris has non-exec heap and non-exec stack support, but IIRC they are turned off by default.

Plus, there are ways around it, one of them pointed out by Linus.

Anyways, this is fairly off topic. 😉

 

[Medea]

To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA04-163A

Cross-Domain Redirect Vulnerability in Internet Explorer

Original release date: June 11, 2004
Last revised: --
Source: US-CERT


Systems Affected

Microsoft Windows systems


Overview

A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user
running IE.


I. Description

There is a cross-domain vulnerability in the way IE determines the
security zone of a browser frame that is opened in one domain then
redirected by a web server to a different domain. A complex set of
conditions is involved, including a delayed HTTP response (3xx status
code) to change the content of the frame to the new domain.
Vulnerability Note VU#713878 describes this vulnerability in more
technical detail and will be updated as further information becomes
available.

Other programs that host the WebBrowser ActiveX control or use the
MSHTML rendering engine, such as Outlook and Outlook Express, may also
be affected.

This issue has been assigned CVE CAN-2004-0549.


II. Impact

By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.

Publicly available exploit code exists for this vulnerability, and
US-CERT has monitored incident reports that indicate that this
vulnerability is being actively exploited.


III. Solution

Until a complete solution is available from Microsoft, consider the
following workarounds.

<snipped>

Vulnerability Note VU#713878

 

[Schadenfroh]

looks like we got another