homepage Welcome to WebmasterWorld Guest from 54.237.99.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

This 40 message thread spans 2 pages: 40 ( [1] 2 > >     
Patches Coming for 9 Fresh IE Holes
Brace yourself:
Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 4:25 pm on Jul 13, 2004 (gmt 0)

[slashdot.org...]

At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.


 

amznVibe

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 4:38 pm on Jul 13, 2004 (gmt 0)

Ah you beat me to it :)

my favorite part:

Solution:

Disable Active Scripting.

Use another product.

Looks like Firefox 1.0 can't come soon enough [webmasterworld.com].

isitreal

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 5:02 pm on Jul 13, 2004 (gmt 0)

MS has always had a certain scorn for the web, that's why they've lagged behind consistently, whether it's the initial decision to even make a browser, a search engine, or a portal.

Simply put, I don't believe any of the MS brass, including gates, really likes the web that much, or cares about it, except when it looks like maybe they can start generating cash by trying to gain control of some part of it by installing another default app into Windows, like Windows media player, to try to get cash flow going through drm type garbage.

Opensource, on the other hand, wouldn't exist if it weren't for the web, it's built on it. MS is built around a closed network, with a centralized structure, it's the model they understand, and it's the model they project out onto the world as the most desirable way for things to work. It's the model they tried to cram down the corporate world's throat, was that palladium?, where all data is centralized on ms servers. Initiative drops like a lump of lead, totally rejected.

Stopping development on IE 6 is just one manifestation of this ambivalence towards the web and all that is web related. However, when you stop development on something as complex as a browser for 2.5 years while Gecko/Opera/KHTML are raging full steam ahead, something is going to change. One problem for MS of course is that they don't make money off IE, in fact it costs them money, unless they can leverage stuff like default search page msn into actual cash flow.

One possible reason MS doesn't like the web? It's built on fully open standards, not controlled by MS. Well, they tried, active x, XAL [I think], vbscript etc.

If MS didn't occupt a near monopoly position on the desktop, there would be equally universal non proprietary document standards, and they would work as well as the web standards currently do.

MarkHutch

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 5:18 pm on Jul 13, 2004 (gmt 0)

I just found two new ones and installed them. One was for Windows 98 and one for Outlook Express. Hard to believe there are still holes in Windows 98.

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 5:25 pm on Jul 13, 2004 (gmt 0)

Oh are there ever holes in 98...

Farix

10+ Year Member



 
Msg#: 8292 posted 5:28 pm on Jul 13, 2004 (gmt 0)

Hard to believe there are still holes in Windows 98.

Hard to believe that MS would actually fix one of them. I thought they had dropped all support for Win98.

MarkHutch

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 5:34 pm on Jul 13, 2004 (gmt 0)

I guess in 2010 they will still be fixing holds in XP.:(

Microsoft CEO Touts Security Push at Conference - Ballmer said that Microsoft's Windows Automatic Update service has seen a fivefold increase in downloads over the last 10 months, with more than 112,000 servers accessing Microsoft's computers that check for updates on a daily basis.

[reuters.co.uk...]

CritterNYC

10+ Year Member



 
Msg#: 8292 posted 6:34 pm on Jul 13, 2004 (gmt 0)

New IE Vulnerabilities

In addition to the unpatched vulnerability currently being exploited, Secunia has found 4 new critical flaws in Internet Explorer version 5.01, 5.5 and 6.0 on Windows. These new flaws again allow for the execution of arbitrary code (read: auto-installed spyware, malware, spamware). Details of the vulnerabilities as well as proof-of-concept exploit code is available here:
[secunia.com...]

Word and MSN Messenger shell: exploit

Apparently, MS Word and MSN Messenger are also vulnerable to the shell: exploit that Mozilla recently patched. The vulnerability is due to a security issue within Windows that will be patched by Windows XP Service Pack 2. There is currently no other patch available.
[infoworld.com...]

Locking Down Internet Explorer

There is no patch for the 5 current exploits. To protect yourself, Internet Explorer should be set to disable Active Scripting (VB and Javascript) on all websites except those in your Trusted Sites Zone. To accomplish this:

1. Launch Internet Explorer
2. Click TOOLS and then Internet Options.
3. Click the Security Tab.
4. Select the Internet Web content zone.
5. Click Custom Level.
6. In the list, scroll down to Active Scripting and set it to Disabled.
7. Click Ok
8. Select the Local Intranet Web content zone.
9. Click Custom Level.
10. In the list, scroll down to Active Scripting and set it to Disabled.
11. Click OK.

IMPORTANT: This should lock you down safely, but will break any site relying on Javascript. If you encounter a site you wish to enable Javascript for, you can add it to your Trusted Sites zone.

1. Launch Internet Explorer
2. Click TOOLS and then Internet Options.
3. Click the Security Tab.
4. Select the Trusted Sites content zone.
5. Click the Sites button.
6. Add any sites you wish to trust.
7. Uncheck the Require HTTPS checkbox.
8. Click OK.

Windows XP Service Pack 2

Windows XP Service Pack 2 (currently in Beta as a Release Candidate) should fix the 5 vulnerabilities mentioned above, however, Microsoft does not recommend running it on production systems. Additionally, there has already been a report of a script-injection technique on IE in SP2 that is still working. This has not yet been verified.

If you genuinely wish to continue using IE and need Javascript enabled for all sites, it may be worth checking out Windows XP SP2. A number of people are running it on their systems without issues (plus the popup blocker in the new IE is supposed to be pretty good), so it may be worth a shot.

Switch to an Alternate Browser

You may also wish to consider switching to another browser without these security issues. Mozilla 0.9.2 is an option as is Opera 7.52. Note the version numbers as previous versions of those browsers have security issues as well.

[mozilla.org...]
[opera.com...]

CritterNYC

10+ Year Member



 
Msg#: 8292 posted 6:41 pm on Jul 13, 2004 (gmt 0)

On a related note, Secunia also found a cross-named-frame spoofing vulnerability that affects pretty much every browser in existance except the latest Opera and Mozilla / Firefox.

[secunia.com...]

Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 9:22 pm on Jul 13, 2004 (gmt 0)

Microsoft has issued a set of 5 new patches for XP, Outlook, and IE. Please update your computer system.

[software.silicon.com...]

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 10:00 pm on Jul 13, 2004 (gmt 0)

~;)

Hardwood Guy

10+ Year Member



 
Msg#: 8292 posted 10:52 pm on Jul 13, 2004 (gmt 0)

Okay, you guys finally convinced me---trash IE and go with Firefox. Gettin' too spooky out there for me:)

grelmar

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 11:15 pm on Jul 13, 2004 (gmt 0)

Bring it on baby.

I'll keep using FF, and building up my kid's college funds de-virusing the machines of people who don't want to make the switch.

CritterNYC

10+ Year Member



 
Msg#: 8292 posted 11:24 pm on Jul 13, 2004 (gmt 0)

Microsoft has issued a set of 5 new patches for XP, Outlook, and IE. Please update your computer system.

I count 4 myself:
Security Update for Windows XP (KB841873)
Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
Security Update for Windows XP (KB840315)
Security Update for Windows XP (KB839645)

Microsoft has released 3 Windows patches and 1 Outlook Express patch. The shell: exploit is one of the patches made, so this should take care of the original IE exploit as well as the new MSN and Word exploits. There is also a fix for an htmlHelp vulnerability and a Task Scheduler vulnerability.

At this point, it does not look like this will fix the latest 4 vulnerabilities posted by Secunia.com as they are exploits within other systems (Javascript and the Channels zone in IE), but I could be mistaken. This means that IE is still vulnerable to arbitrary code execution. I would suggest watching their advisory and Microsoft's site for updates.

The 4 patches are available through Windows Update. The shell: exploit patch failed on my PC. Downloading and running it directly solved the problem. If this occurs on your system, you can download it here:
[microsoft.com...]

Krapulator

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 12:00 am on Jul 14, 2004 (gmt 0)

Its great to see the issues of alternative browsers beginning to hit the mainstream. Surely any exodus from IE will encourage Microsoft to really put some hard work into improving their browser dramatically and perhaps raising the bar for all web browsers.

Teknorat

10+ Year Member



 
Msg#: 8292 posted 12:24 am on Jul 14, 2004 (gmt 0)

grelmar you took the words right out of my mouth. ;)

ScottM

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 12:24 am on Jul 14, 2004 (gmt 0)

Microsoft has issued a set of 5 new patches for... Outlook

Microsoft is showing no need on my computer for an update to Outlook 2003 at this time. Perhaps you meant Outlook Express?

Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 12:37 am on Jul 14, 2004 (gmt 0)

I got 3 on 98 and 5 on Xp CritterNYC - not sure what they were, but I'd just updated over the weekend. It is what others are reporting too.

Not sure what it all depends on...

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 12:47 am on Jul 14, 2004 (gmt 0)

I'll keep using FF, and building up my kid's college funds de-virusing the machines of people who don't want to make the switch.

even if everyone with 'doze switched to another browser tomorrow ..there are still so may ways to contaminate the OS.. via cds ..memory sticks , flash cards , games copied from your kids friends with the downloaded version ( cracked of course ) of clone*** ....ah the list goes ever on ..
I may actually start a thread on it one day ..not a "how to hack" ..just a "what not to"....

But the work in clean ups is guarranteed for many of us for years to come ...even if some of it is gonna come from "blindfolding palladium" boxes..

bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 3:56 am on Jul 14, 2004 (gmt 0)

I just got 6 on my XP machine:

  • Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
  • Security Update for Windows XP (KB840315)
  • Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
  • Security Update for Windows XP (KB841873)
  • Security Update for Windows XP (KB839645)
  • Security Update for Windows XP (KB835732)

I'm kind of glad MS has stopped doing the one release a month routine. I'd rather they got these holes closed when they occur.

amznVibe

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 4:14 am on Jul 14, 2004 (gmt 0)

Yeah microsoft released seven patches, two critical, but none for Internet Explorer however:
[microsoft.com ]

Be sure to check [windowsupdate.microsoft.com ] today if you have automatic updates turned off.

sem4u

WebmasterWorld Senior Member sem4u us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 7:21 am on Jul 14, 2004 (gmt 0)

It is unbelievable. Took me ages to download the updates on my dial up account last night at home :(

(Don't even ask why I don't have broadband!)

Hester

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 8292 posted 8:54 am on Jul 14, 2004 (gmt 0)

You may also wish to consider switching to another browser without these security issues. Mozilla 0.9.2 is an option as is Opera 7.52.

That should of course have read "Mozilla Firefox 0.9.2" as Mozilla is a separate browser, currently at version 1.7.

Hanu

10+ Year Member



 
Msg#: 8292 posted 9:22 am on Jul 14, 2004 (gmt 0)

Why do people still believe that Firefox has fewer bugs than IE? I agree that right now FF is an alternative because there are fewer exploits for FF than for IE. But this is not becaues ot has fewer bugs. It's just because only 1-5% use it, which makes it a less attractive target.

tedster

WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 11:04 am on Jul 14, 2004 (gmt 0)

There's definitely some truth in that, Hanu. IE does make the biggest target.

However, because IE is tighty integrated into the Operating System, not only are more exploits possible, more devastating and intrusive exploits are possible.

That's a fundamental design flaw that does not affect stand-alone browsers, and has allowed all kinds of "swiss army knife" exploits that combine viruses, worms, dialers, and malware of many species, all in one payload.

Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 11:11 am on Jul 14, 2004 (gmt 0)

FF has fewer bugs because it isn't based upon Microsoft code, or include ActiveX.

Even if Mozilla had 99% of the market, no more than a handful of security problems would befound. Of those, they would be fixed within 24 hours and available for download at your leisure. Compare that to hundreds (many believe THOUSANDS) of problems in IE.

Mozilla benefits from thousands of eyes on the code. It also benefits from open source. Every hacker on the net would love to crack mozilla - in order to attempt to install malware. Whereas, ActiveX is not a hacking problem, it is a program design flaw.

On the other hand, hads of to MS for pulling off the "ya, we have $40 billion in the bank and 20k employees around the planet, but those little bad hackers are picking on us. If you were as big and had as many resources, they'd pick on you too" ploy. Absolute text book case in pure press and public control (eg: propoganda).

Hanu

10+ Year Member



 
Msg#: 8292 posted 12:27 pm on Jul 14, 2004 (gmt 0)

Don't get me wrong, I love Firefox and I now use it for almost all browsing, except at microsoft.com ;-).

However, because IE is tighty integrated into the Operating System, not only are more exploits possible, more devastating and intrusive exploits are possible.

That's true. Brett also mentioned ActiveX. On the other hand, both, FF and IE support plugins - I believe FF uses the same interface as IE - as well as JavaScript.

Mozilla benefits from thousands of eyes on the code. It also benefits from open source.

The thousand eyes might be those of 450 hackers and 50 developers. Just because something is open source, doesn't mean it's quality software. Any complex piece of software, open or closed source, has bugs and most of the time only the developers understand their code. Also it's a lot easier to scan source code for certain types of bugs like buffer overflows than to fully understand the code and become a contributing developer. Take for example this FF vulnerability [kb.cert.org]. Although IE has far more vulnerabilities in the past 12 months it is also used 20 times more often, so I assume it is a 20 times more attractive target, hence hackers will invest 20 times more energy into finding and exploiting new vulnerabilities.

Am I starting to sound like a MS representative?

Brett_Tabke

WebmasterWorld Administrator brett_tabke us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 12:31 pm on Jul 14, 2004 (gmt 0)

> eyes of hackers

Absolutely! That is part of the perk of Open Source. Who better to find and expose holes than hackers? The fact that hackers are looking it over from the inside out is a boon to debugging and problem finding. The faster the hackers find them - the faster they can be fixed.

The big difference is that when a hole is found in Mozilla, it can be fixed literally overnight. Whereas a few of the latest IE holes have been known since 1998.

Anyway, back to the topic at hand - please update your windows systems.

[theregister.co.uk...]

CritterNYC

10+ Year Member



 
Msg#: 8292 posted 3:15 pm on Jul 14, 2004 (gmt 0)

Take for example this FF vulnerability [webmasterworld.com]. Although IE has far more vulnerabilities in the past 12 months it is also used 20 times more often, so I assume it is a 20 times more attractive target, hence hackers will invest 20 times more energy into finding and exploiting new vulnerabilities.

You mean the one that has already been patched and is actually a vulnerability within Windows that Internet Explorer, MSN Messenger and MS Word were also vulnerable to?

Your 20 times argument is specious. It would be more accurate to say that if there are 1 million compromised IE installations, there should be 50,000 compromised Firefox installations. I've seen lots of compromised IE installations... no Firefox ones, despite the fact that Firefox *IS* being targetted by malware and spyware authors. The Mozilla folks are being proactive in dealing with it.

Leosghost

WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 8292 posted 3:28 pm on Jul 14, 2004 (gmt 0)

Am I starting to sound like a MS representative?

No ...you are starting to sound like someone who doesn't understand the subject or the background or the terms used in it's discussion sufficiently well ...

That in itself is n't a problem ....rabbiting on in the face of the hard evidence is ..

IE and the Extension of it that is 'doze ( yep it's near enough that way round ) has always been a clunker ...

Maybe some hackers will try to take down firefox ..IMO only the scumware writers and dialer installers and children with virii lab found on Kazza ...

Most hackers who hit on IE and 'doze do so as protest against the ethos behind it and to show it up for the ersatz crap it is ....and puleez don't tell me "why don't you complain to the authorities"....

Free real competition and open source co-operation isn't seen by them to be in their interests either ...

This 40 message thread spans 2 pages: 40 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved