Computer literate…naw. I use a windows OS but ditched ie a longtime ago. There are known and un addressed security flaws with Microsoft. I fear we will see a lot more exploits like the one the other day.

I hope all of the software I have arrayed against spyware, adware, browser helper objects, key loggers, trojans ect can keep up.

Maybe I came out a little strident in my last post, but I'll still hold to my stance.

While part of the security hole that has caused this issue was addressed by MS a while back and patches issued (for the IIS servers), the other part, the big gaping hole in IE through ActiveX, has not been addressed, and this is an issue that has been talked about in security circles, and M$ notified about it, over a year ago.

That is way, WAY too long for a hole to go unpatched.

As for online banking and security: I'm not worried about my bank's security so much, as I am worried about my own. I go to great lengths to keep my PC secure, but I'm 1 guy, have other things to do than spend 16 hours a week going over system security issues. I'll freely admit that my PC is the weak link in the chain.

But a chain is only as strong as its weakest link. And until the major security issues get solve with M$, IE, and even some of the other OSes, I'm just to paranoid to commit my financial well being to online transactions.

It's fundamentally un-secure.

And for those of you who think that because the Russian website that is supposed to receive the sent information about your banking data is down means that the data isn't getting through to the evil doers, think again.

If it was me who'd set up this scam, I would intentionally have the info set to a dummy website that had no connection to me whatever. I would have it sent to a website on a server that was on the same DNS node as a server I did control. Then it's a fairly simple matter to set up a packet sniffer and monitor all traffic being sent to that site. Whether the site is up or not, the data is still being shuffled across the net before it bounces off the taken-down site. If you have an even basic knowledge of packet sniffing, you'll be able to pluck the info in transit.

As sophisticated an attack as this is, I'd guess that the people behind it know a thing or two about packet sniffing.

IE Users: If you allow ActiveX regardless, then it is you to blame

Bignet,

As I mentioned before, even if you completely disable ActiveX and Java across ALL security zones in IE, it is still completely vulnerable to this exploit. This exploit is actively being used to install spamware, spyware and worms. The ONLY way to lock down IE against it right now is to disable all Active Scripting (VB Script and Javascript).

Or, you could always upgrade to a real browser.
[mozilla.org...]

and because these security holes are too large to patch, it is only a matter of hours, maybe days, that servers running IIS, or clients running IE, will be confined to histery [sic!]

Without getting into specifics ..as the idea is not to give clues on how to hack a doze box or server ..( there are plenty of places where you can learn that and plenty of people here that know how and don't do it ) ...
The basic problem with doze and IE is that the two are much too interdependant by M$ design ...
From the first exploits that were discovered M$ have slapped on bandaid after bandaid ( sometimes they hide them in new mediaplayers ..some times they call them updates or patches )..they have no choice ..!
If they threw out the basic browser code and redid the damn thing in "locked down" version AKA Mozilla they would have to scrap the OS ...because since Dos ...'doze is still the same basic cake just with more and more layers of icing on it ....
( ever looked inside a virus in hex?..most of them say they can't run in dos ..it was more secure! )
As long as you are accepting that you will allow javascripts to run via IE in doze I ( and many many millions of others ) can get activex and directx commands to run on your machine ....not all of them ..but enough to hurt and or cause chaos .or whatever ...

What is surprising is not that these exploits exist..it is the fact that so few are exploited for evil ...One of my sites uses your acceptance of javascript to switch on your activex and directx .
I did this just to protect my data from drive by copiers ( and as a protection it doesn't work so well ..cos you can get it otherways )..but ..the problem isn't with javascript ..other browsers let you run it ..but they don't let you switch on anything else with it! )...

Until M$ make a true stand alone browser anyone using IE in any flavours is vulnerable ....'cos the internal integrity of doze is a bad joke that M$ are stuck with ..

Or they could start from scratch and make another OS?

The US Computer Emergency Response Team (US-CERT), a division of the Department of Homeland Security, and Microsoft have recommended setting Internet Explorer to the HIGH security setting and disabling Javascript if you continue to use Internet Explorer to browse the web. This will, however, cause any websites that depend on Javascript not to function. CERT has also recommended that IE users consider switching to an alternative browser that is unaffected by this issue, such as Mozilla, Mozilla Firefox, Netscape or Opera.

[washingtonpost.com...]

CritterNyc ..2 things ..
1.They said what we already new!
2.

http://www.webmasterworld.com/red.cgi?f=10&d=5871&url=http://www.washingtonpost.com/wp-dyn/articles/A6746-2004Jun25.html

is a link to registration page ...do you work for the 'post? ;)

I would love to see the page where M$ have to say "only use high security settings or switch to another browser"......even if it's only a joint statement with the US-CERT ...;)

Leosghost: one of the great things about Firefox is the user agent switcher, that lets you get around a lot of those login pages, to access that I already had a googlebot user agent installed, clicked that, and in I was, no login, a thing of beauty, doesn't work for the ny times, but does for many other papers, including this one.

1.They said what we already new!
2.
[webmasterworld.com...]

is a link to registration page ...do you work for the 'post? ;)

I would love to see the page where M$ have to say "only use high security settings or switch to another browser"......even if it's only a joint statement with the US-CERT ...;)

1. Already new? I used new instead of knew in some post somewhere (which I can't find now). I hate that I can't edit my spellingk errors :-) And you usually realize it as you click SUBMIT.

2. Oh yeah. Washington Post articles require registration when they aren't for the current day (annoying, huh?) Head to bugmenot to get a login. It's also handy for nytimes.com, etc. All those sites that require you to create a login with fake (uh, I mean, totally real, yeah) information before viewing an article.
[bugmenot.com...]

And then view the article:
[washingtonpost.com...]

I would love to see the page where M$ have to say "only use high security settings or switch to another browser"......even if it's only a joint statement with the US-CERT ...;)

Oh, and one more thing... only CERT said to switch browsers, not MS. Heh. The article quote is:

"CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions."

CERT has recommended switching browsers as a solution before, too:

[kb.cert.org...]

"Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle MHTML protocol URLs."

I frequently make spelling mistakes ..
I have 2 excuses ..
1.ceçi c'est un clavier français ..donc bassackwarsd.
2.Iare reely an viszoooal rtist ..

[edited by: tedster at 4:59 am (utc) on July 1, 2004]

Can anyone confirm that allowing JavaScript to remain ON is safe? (After disabling ActiveX.) We have a drop-down menu that relies on it, though I've put in a link to the site map for people with JavaScript turned off. It would be a shame to do without it.

Hester ..no it is not safe ..I or anyone else can break through to your activeX and directX "command areas" using it ...it should be safe because IE wasn't designed deliberately to let such things happen ..but as with most of the output from Redmond the divisions inside the OS are not as well defined as they meant ...

This particular "download" will get in via javascript ..they could have done much worse ( and we're still not certain what the script was intended to facilitate )...no doubt someone will do much worse in the future ....

If you doubt me on this sticky me and I'll give you the address of one of my sites where I have a javascript routine which will use your activeX and your directX even if you have them disabled ..all it needs is for you to have enabled Javascript...it's a harmless site ..no malware ..but it could be different ...

and it can only do this in IE ...it can't try to hijack your box via another browser ..

so you can keep your nav system ..but if enough people switch off javascript in their browsers ..no one will be able to use your nav system ..

this is why I need to remake the site ( thanks M$..I had other things to do! )

Even French national TV news last night ( they are always a bit behind here ) told us all "switch off javascript on your computers" ( they forgot to say this was only if you ran IE!).."Or go to Microsofts website and follow the instructions" ...Most of the 'doze boxes in the world will "update" in the next 30 days and hit a page which will explain in their particular language how to do this ( if M$ haven't worked out an install to do it ( and what else , ) for you just by clicking the link they will doubtless provide ...( they might even hide this as they have done in the past by including it in an update to media player ...always better to call it a "feature" than a **** up..) ..
And the world of the internet will be once again safe(ish)..jsut dont ask for proof and or machine code..

Thanks be to "patchgeek"...

greetzFO

( s'cuse spelling "comme d'ab" )

What can be done to 'cure' IE6 then? Is there anything in the settings that will make it safe?

Also, how DO I turn off JavaScript? Is it covered by the same settings for Java?

No ..its not the same animal ...
how to turn it off .Explorer > tools >Internet options >security >custom ( now scroll down til you find the checkboxes ..disable anything you don't want ) click on "apply" ..+ ok ..now click all the OK's on each gui box til you are back where you began ...
Shut IE ..Shut session of 'doze...

start up box again ....

you will now be able to experience the internet ...

minus all the "cute" stuff ....

Praised be .. "sloppy code geek"

Internet browser breach defused [news.bbc.co.uk]

The code that Internet Explorer downloads is designed to steal login information for Ebay, Paypal, Earthlink, Juno and Yahoo accounts.

minus all the "cute" stuff ....

Javascript is much more than "cute" stuff. Most net "programmers" (i.e. people who know how to make a website) think just that - it's cute little mouse trails or mouseovers.

JavaScript is much more than cute stuff. It's a robust programming language and when used properly can add a great deal of functionality to a website, without having to submit a form for every operation.

Turning off javascript is NOT a solution to stopping hackers, and several sites will not work without it.

We really need to stop the false impression that JavaScript is only cute stuff.

[theregister.co.uk...]

Here we had multiple vulnerabilities in IE, at least one spanning back months, which have remained unpatched by Microsoft. The culmination of the vulnerabilities allows for silent code execution on the client box: zones crossed, files downloaded, code executed, boxes owned.

For me.... using javascript for forms is an invitation to get hacked ....javascript is part of DHTML...

Calling it a programming language is IMHO taking it a bit far ...it doesnt rank with C++ , Fortran etc ...

The problem isn't those who use it for "effects" ..its those who haven't make an OS that has some basic security issues about its Browser/Os interface addressed..

[edited by: tedster at 5:05 am (utc) on July 1, 2004]

For me.... using javascript for forms is an invitation to get hacked ....javascript is part of DHTML...

No, it's a common method of dealing with form inputs and processing them.

Calling it a programming language is IMHO taking it a bit far ...it doesnt rank with C++ , Fortran etc ..

Of course it is a programming language. You use it to program scripts. Just because it is not as powerful as C++ (thank God - imagine the hacks if it was!) doesn't mean it is inadequate. It is useful for a great many things, not just fancy effects, menus and forms. Many sites employ very small snippets of code, often to get round browser inadequacies. I'd hate to surf without it.

What I've found today is that some sites have not been prepared for users visiting them without JavaScript. We had to turn it back on for one machine because a key site was basically useless without it.

Part of the W3C Accessibility Guides states that your content should still be accessible if JavaScript is turned off. Hence our drop down menu at work offers you a link to a Site Map instead. The <noscript> tag should be used to explain why something won't work and offer an alternative page, if possible. In no way should a site fail to be useable.

Re: Javascript. As far as I know, it's the highest level programming language in existence, something easily verified by writing a reasonably complex script and watching it eat up 100% of the processor. You can see this for yourself by creating a 10,000 repetition loop and timing it, you don't need to use microtime type functions, you can use your watch.

It's also not comparable to the other programming languages for one primary reason: you don't have control of the runtime environment, you are dependent on browser x of generation y having properly implemented the method you are using. This is why I am no longer using Javascript for any site critical functionality, only for tricks, window dressing, form validation etc.

Having to debug CSS and Javascript cross browser is simply too much work for too little result, I've switched almost completely to server side scripting except where I absolutely can't avoid it.

The recent IE problems only serve to highlight these issues, this isn't the first time that IE has been forced to shutdown it's Javascript support, I downloaded the IE 5.5 upgrade when it was released, and after a long time trying to figure out why my JS didn't work, I finally realized it had been released with JS support off by default due to some recent exploit (was it codered, can't remember).

That's now 2 times in 4 years IE users have been told to switch off their JS. This is a pattern, and it shows me that the common advice to not make your site functionality depend on javascript is absolutely correct. Not to mention spotty Opera/Safari/IEMac Dom support.

Apparently javascript exploits aren't exclusive to IE:

[webmasterworld.com...]

isitreal ..we have agreed on many things in the past but here we disagree ..for me javascript isn't a programming language because it ( unlike the others ) cannot be used to do anything other than what it is used for on the net ...( ok there are one or two tricks that it can do off net but not enough to light my fire ) ..

The day you can use it like machine code to do some real work or to produce an app or a soft such as photoshop or whatever then I'll consider it a programme language ...til then yes it eats up cpu ..yes its powerfull in the stuff it can do ..but browsers are not built using it they are built with varying degrees of success to use it ..not the same thing ...

otherwise on IE ..total agreement as you know ... :)

s'cuse spelling ( comme d'ab )

[edited by: tedster at 5:07 am (utc) on July 1, 2004]

Internet browser breach defused [news.bbc.co.uk]

The code that Internet Explorer downloads is designed to steal login information for Ebay, Paypal, Earthlink, Juno and Yahoo accounts.

Sorry, but as stated before this only means that ONE exploit download site was taken offline (the most-covered one, since it was spyware/keylogger hosted in Russia). There are still spyware toolbars being installed in IE automatically. And any website can run any code they want in any version of Win IE with Javascript enabled.

As I said before, unless you completely trust every website you visit with full access to your hard drive AND trust that they have fully patched their webserver, regardless of type, you should be browsing with Javascript disabled if you are using IE.

Leosghost:

we have agreed on many things in the past but here we disagree ..for me javascript isn't a programming language because it ( unlike the others ) cannot be used to do anything other than what it is used for on the net

There's no real disagreement here, I've read some threads on WebmasterWorld about what constitutes a programming language, and javascript does qualify technically, since it support for/while/if/switch type constructions, which seem to be what makes people think something is a programming language or not.

but browsers are not built using it they are built with varying degrees of success to use it ..not the same thing ...

That's what I was referring to when I said you don't have control of the runtime environment, it's what makes js one of the most useless programming languages out there (imagine writing a function in c++ and then telling your department head that it will often work, say 92% of the time, maybe less if there is a recent exploit out there, and that code won't work if run on system x, but that's life...)

On the hierarchy of programming languages, with something like C being lowest, Javascript is among the highest level ones. This is what makes MS's inability to block js from running serious exploits especially unforgivable, the whole point of js was supposed to be that is was a secure way to run application restricted code that would have no real access to your underlying os.

But we don't disagree, I don't spend any more time on js, it's time wasted as far as I'm concerned, better spent on php or its ilk.

[edited by: isitreal at 4:29 pm (utc) on June 29, 2004]

Apparently javascript exploits aren't exclusive to IE:

[webmasterworld.com...]

Quite true. Though this is hardly as bad as the hole the size of New York that IE has in it allowing you to execute arbitrary code.

And yes, IIRC this did happen on IE before, and, I believe Mozilla... but I could be wrong.

It's just going to get worse...

Now, there's an IE Browser Helper Object in the wild that will intercept form posts/gets to the major bank sites when done over https. A "creative" webmaster can automatically install this in IE using the known, unpatched vulnerabilities and you'll end up with full access to a visitor's bank accounts.

[isc.incidents.org...]

Now, there's an IE Browser Helper Object in the wild that will intercept form posts/gets to the major bank sites when done over https.

Go to properties in IE and uncheck the "enable third party browser extensions" box - it will save you from this one, if not from the others. Of course, this will probably break genuine third-party BHOs such as the Adobe PDF reader and the Google toolbar.

Still no sign of a patch for any of these vulnerabilities...

> Of course, this will probably break genuine third-party BHOs such as the Adobe PDF reader and the Google toolbar.

The toolbar does break, but Acrobat doesn't...

The BHO issue is a real PITA with I think even more likely hood of being picked up and run with by the "script kiddies" out there ...General buzz on security in the news media that joe and jane sixpack come into contact with never ever mentions BHO and by the mere semantic associations of the word helper and their puppy like trust in M$ and all it installed ..they probably wont disable BHO even if they find out what it means ...

BTW ..for those who don't want to "globally" disable BHO's or to see what they do have in the way of these critters and at start up etc ..try seaching for " system security suite" by a guy from new zealand ..freeware ..tiny little proggy ..clean and easiest "switch em on switch em off block em" Gui I ever saw ....The exact download address I cant find on the "about" ..may have been somewhere like webattack ..

[edited by: tedster at 5:11 am (utc) on July 1, 2004]