Whoa!

Danish security company Secunia has upgraded a security warning on a flaw in Internet Explorer 6.0, to "extremely critical".

The flaw allows malicious code to be loaded onto the machines of Windows XP users, even though they may have installed the XP Service Pack 2 security software.

Worse yet, Microsoft is "working on" a patch. Look at the solution Secunia offers [secunia.com] for now:

Solution:
Use another product.

Alternative workarounds:
1) The vendor recommends that the "Drag and drop or copy and paste files" option is disabled.
2, 3) Set security level to high for the "Internet" zone.

An implementation of this flaw that I have seen today shows the extent of the problem: the sample code created a new directory on the C drive. However, it would be trivial to change the code to, say, wipe the entire hard drive. You can in fact send any DOS command to execute automatically on the user's machine.

Best to switch to a different browser until Microsoft comes up with a patch...

Well, here's a vote for Opera:)

But, more to the point of the thread. The wife just enrolled in a lon distance education class that is using some app that requires IE.

I had finally weaned the entire family off of IE and removed it from the machines. :(

WBF

Try installing the UA switcher and selecting IE. ;)

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:

http*//secunia.com/internet_explorer_command_execution_vulnerability_test/

How safe is the test? ;)

I love how they say its "New". They forget to mention a spyware company in the summer used the exploit and was sued by the FTC and microsoft and forced to shut down. Microsoft couldn't come out with a fix in sp2 because the problem was burried really deep.

markus007 - are you refering to this case, against Seismic Entertainment Productions and SmartBot.net?

[ftc.gov...]

If so, I didn't realize that this 'new' issue is the same security hole.

From secunia site:

Last Update: 2005-01-07

---------------------------------------------------

This news is 3 days old.

Only one sources opinion with motives unknown.

The link to test ones browser now does not work.

And when it did it did not work as we were told.

Yet this topic gets front page billing on WebmasterWorld followed by a microsoft bashing led by an administror of these boards. Need I remind you the current state of "computing" would not exist were it not for microsoft. These boards used to be better than this.............................

Best stick to the facts rather then emotion, rumor, and innuendo.

nope it was a different one.. THis case got next to no publicity the only reason i know is because i know one of the people that got sued.

ComputerWorld is now reporting [computerworld.co.nz] that Microsoft will release IE security patches tomorrow (Wednesday, since this source is dated Jan 11)

However:

Nathan Mercer, technology specialist at Microsoft New Zealand, confirmed that three patches will be released tomorrow morning, NZ time. However, Mercer was unable to say whether the patches cover the Internet Explorer-related issues reported by Secunia.

Well Well

Goes to figure I guess about the Microsoft IE 6 SP2

I am neither for or against various systems as a whole.
Although our eventual transition to the firefox is a result of some of the security issues related to the explorer.

As far as the explorer and it's luke warm security, I and the rest of us here don't have a lot of time to spend on fixing things, so the windows is shut off due to the much better security that Symantec offers us.

I did have a real good go at a security breech the other day on one of our older, much less used machines in the back office. (not a part of our network) It was a grand thrill to get after it.

I beat the living daylights out of the thing.
It's been so long since I have had to get into the registry files on any machine, that it was like taking a good long springtime stroll for a change.

Yet this topic gets front page billing on WebmasterWorld followed by a microsoft bashing led by an administror of these boards. Need I remind you the current state of "computing" would not exist were it not for microsoft.

Um, that's true. For example the lack of rich apps on the Internet is caused by Microsoft destroying Netscape and then failing to develop the only viable browser for years. They did this on purpose because the Internet is a threat to their cash cow. Which is rich apps on the desktop.

The bias against Microsoft was not created in a vacuum. There are many reasons for it.

Recently, I saw for a second time the "documentary" Code Rush aired by PBS for the first time in March of 2000.

The show depicts the Netscape rush to put online the source code for their browser on March 31 1998.

According to the Code Rush credits, the "documentary" was co-written by G. Pascal Zachary, an anti-Microsoft New York Times journalist.

Nevertheless, I'm glad Code Rush was made available to the non-technical public. It helps them to clearly discern what's good and what's bad. What's trustworthy and what's not.

In regard to the latest flaw, I'm happy there's Windows Update at my fingertips to fix it.

I don't think Windows Update fixes it yet.

I've often defended Microsoft in these forums, especially Frontpage, which I still use.

But, it's getting silly now. I almost never use IE because of all these problems. Since switching to Firefox life has been so much easier. OK, great, MS have done a lot for computing but let's fact it, while there may be some debate about Windows itself, IE is a now a complete disaster.

Anyone who does not believe this is a real, recreatable bug is sorely mistaken. I have just created and run it on several computers running XP with SP2 on different networks from different locations. Sophos identified it as a virus but the cmd.exe ran anyway.

It took me about ten minutes to create a variant that did whatever I wanted. I can execute any DOS command I want on a users machine from the homepage of my website with any click required.

This is the worst security hack I have EVER seen. Any user with XP and SP2 running IE is at very serious risk.

How to completely delete IE from my machine? Isn't there some nice uninstall tool?

sirlion wrote:

The link to test ones browser now does not work.

Yes, it does; computerweekly miscoded the link; just copy and paste the secunia.com/... link, and it works.

Best stick to the facts rather then emotion, rumor, and innuendo.

Not trying to confront you, but could you please clarify what "the facts" are?

Trax the only program (and it's free) I have ever seen that safely "removes" IE is this one:
[litepc.com...]
But note it won't work with XP, and only win2k up to service pack 1, so that's fairly useless in this day and age. However if you still have any family on win9x/ME it will do the trick.

Best thing is to just use Firefox and switch all your family and friends to it ;)

How to completely delete IE from my machine? Isn't there some nice uninstall tool?

Several ;)

[fedora.redhat.com...]
[mandrakelinux.com...]
[ubuntulinux.org...]
[suse.com...]
etc.

Also: [apple.com...] if you prefer.

I moved exclusively to Linux nearly 2 years ago, and I would never go back. All browsers have bugs and problems, IE and Firefox included, but it is the tight integration with the underlying operating system which makes IE vulnerabilities much, much more dangerous. This is a fundamental, deliberately-introduced design flaw in Windows, that no level of patching of the browser is truly going to resolve.

Can't you just delete the exe file? That will prevent it from ever starting. Linux seems like overkill. If I had the time to learn that much I'd sign up for an evening class ;)

windowsupdate.com now seems to have a patch for this.

I just installed it and the exploit's test page doesn't work now (it did previously).

time to go roll out on all the systems in the office...

Deleting the .exe file would help, but the question is what about other means of running the IE control? Can HTML email in IE-based mail clients exploit this vulnerability? What about other apps you may have around that use IE to display HTML? Most of those won't end up display HTML that's not under their control, but some will.

As for IE vs. Firefox vs. Opera vs. whatever in terms of security, there are other issues besides OS integration that make some browsers safer than others. Defect rates increase exponentially with code size, for example. I'd be curious to know how many lines of code are executed as part of IE and various libraries and controls that execute on its behalf. Those browsers that are Open Source also have an advantage in that the code gets looked at by far more people. Code review catches a higher percentage of bugs than testing does.

As rich42 has already seenm the fix is now available from Windows Update:

Full details [microsoft.com]

On a side note ...

Running the test page in Win98SE with an unpatched (although otherwise up to date) IE6 with security settings set to "prompt" or "disable" for all ActiveX settings:

I get either a notice that "..browser settings do not allow ActiveX controls...may result in incorrect page display..." or a security warning to download and install Secunia's "hhctrl.ocx" object.

In addition, BOTH temporary pages Secunia sends to the cache contain the "Exp/Phel-A" virus.

Virus aside, without the ActiveX control, the test fails. It looks like a Javascript error in the test itself. Perhaps with the ActiveX control loaded, the test works as intended. I'm not going to find out ...

I think I'll stick with Firefox and Sophos Antivirus.
:)

Although the patch is already available and everyone in my office updated their machines, I have still asked everyone in our office to switch to FireFox and never use IE. We now only allow using IE in special cases only with the prliminary agreement with sysadmin. I am not an anti-ms freak, but IE lost any creditability.

When I was updating, there was another thing listed which I thought was that new beta anti-spyware software, but I can't seem to find it after installing... did I skim through the name too fast and install something else?

Jennifer

Um, that's true. For example the lack of rich apps on the Internet is caused by Microsoft destroying Netscape and then failing to develop the only viable browser for years. They did this on purpose because the Internet is a threat to their cash cow. Which is rich apps on the desktop.

The bias against Microsoft was not created in a vacuum. There are many reasons for it.

I wouldn't really say Microsoft's cash cow is rich desktop apps. Microsoft's cash cow is enterprise level liscencing, and partnerships with companies like dell to put windows on every new computer they ship.
I mean, think about it. How many individuauls do you know that have actually gone out and bought Office, or VisualStudio, or some other high-end product like that?
Now, how many big companies are there out there that buy insane liscencing packages to put Office on 5000 machines at a time, or put VisualStudio on the machines of 100 developers, or Windows Server on an entire farm of servers. Not to mention the whole "microsoft certified technology provider" thing - which basicly just means somebody shelled out a handful of cash to get a copy of a .gif to put on thier site.

To say the internet is a threat to a company like microsoft, is - silly at best. Stupid people are the biggest hinderance to the advancement of technology - by far. Be it internet or otherwise. Not companies like MS. Until people remove thier heads from the other parts of thier body, and get with the program, mainstream society will always be 10 steps behind, and thus technology will be choked by peoples' inability to use it.

Note:
I'd like to limit this thread to the topic of IE - and in
specific to this particular vulnerability. We've got plenty
of threads where people discuss the general strengths and
weaknesses of various browsers - and a Browsers Forum is not
the right place to get into a general critique of Microsoft.

I am quite pleased that MS got a patch out so quickly for this issue. It really worries me when the knuckleheads who exploit holes get too much of a head start.