Security outfit Secunia has news of further exploits for Microsoft's browser, Internet Explorer. Three new problems have come to light, all of them critical, and all of them having potential to do serious damage to Internet Explorer users.
The first problem relates to IE not checking items that are dragged and dropped from the Internet zone to the local zone; IE fails to check for images or media embedded in HTML code. A website could place HTML code on a users system, which could subsequently execute code in the local zone. The second issue relates to IE's HTML help control; a specially crafted help (.hhk) file can execute potentially malicious code and could also execute local programs; this vulnerability can also by-pass the "Local Computer" zone lock down security feature in SP2. Finally, a bug in the way IE handles the "Related Topics" command in an embedded HTML Help control can be exploited to allow the execution of malicious code. For a more detailed explanation of the problems, see Secunia's advisory.
One Neowin reader notes a particularly nasty example of the potential these exploits have. Microsoft have yet to offer a patch for the problems. Internet Explorer users (including v5.x+, v6.x+) and XP users with SP2 installed are affected. Until Microsoft takes the browser problems seriously, one can only suggest that users jump ship and try something else. An Internet Explorer re-vamp in 2006 with Longhorn is fast becoming too far away for ever tiring web users.
View: Secunia Advisory | CERT Response
View: Test vulnerability
The first problem relates to IE not checking items that are dragged and dropped from the Internet zone to the local zone; IE fails to check for images or media embedded in HTML code. A website could place HTML code on a users system, which could subsequently execute code in the local zone. The second issue relates to IE's HTML help control; a specially crafted help (.hhk) file can execute potentially malicious code and could also execute local programs; this vulnerability can also by-pass the "Local Computer" zone lock down security feature in SP2. Finally, a bug in the way IE handles the "Related Topics" command in an embedded HTML Help control can be exploited to allow the execution of malicious code. For a more detailed explanation of the problems, see Secunia's advisory.
One Neowin reader notes a particularly nasty example of the potential these exploits have. Microsoft have yet to offer a patch for the problems. Internet Explorer users (including v5.x+, v6.x+) and XP users with SP2 installed are affected. Until Microsoft takes the browser problems seriously, one can only suggest that users jump ship and try something else. An Internet Explorer re-vamp in 2006 with Longhorn is fast becoming too far away for ever tiring web users.
View: Secunia Advisory | CERT Response View: Test vulnerability
What's new in v2.5:
- NEW: User can change GUI style - Available styles are Office 2003, Visual Studio 2004 and Windows XP.
- NEW: Support for RealVNC 4.0 server in Reset VNC Server Password wizard.
- NEW: Support for RealVNC 4.0 server in Start/Stop VNC server dialog.
- NEW: Thumbnails View - Take screenshots via user configured time intervals.
- NEW: Thumbnails View - Connection parameters can be configured by user.
- NEW: Minimize to the system tray and single instance mode features.
- NEW: Export registered servers list and settings dialog.
- NEW: Export servers list to a Tab/comma separated file.
- NEW: Import/Export from/to .RDP/.VNC files.
- NEW: Reset Password Wizard - load/save list of target IP's from/to file.
- NEW: Deployment Wizard - load/save list of target IP's from/to file.
- NEW: Show/hide columns in registered servers list.
- NEW: User can customize a connection tab color on per server basis.
- NEW: Viewer windows tabs now have connection information tooltip assigned.
- NEW: Bunch of usability enhancements.
- CHANGED: Check for Updates dialog has been redesigned to show list of changes.
- CHANGED: Check for Updates dialog is now modeless and doesn't block VNC Manager GUI during scheduled or manual version update check.
most security vulnerabilities reported are like this. either the user has to do something abnormal, the chance of being compromised is so rare because someone has to target you, or it has to do with spoofing where you have to go to an odd site and do something stupid.
and firefox gets a lot of these vulnerabilities also. its not necessarily fixed quicker with firefox either; with some vulnerabilities ive seen they fix it soon after its widely reported, but theres evidence they knew about it earlier.
so, it may be true that one browser is less secure than the other. but jumping over secunia reports to try to make a point is not the smartest thing. and using internet explorer for years, i didn't encounter any of these vulnerabilities. so saying 'its amazing people still use ie' isnt really aware that its rare to encounter most vulnerabilites.
i mean with this example, who is going to drag a suspicious website from the internet to his computer, and then be surprised when it runs malicious code. and who is going to download a help file from a suspicious site and then be fooled into letting it run programs. when there was an advisory over firefox allowing spoofing of XUL interfaces, i didnt go 'omg firefox sux'
My favorite "Crying Wolf" reports are the ones where these self-serving companies report that the virus they are hyping to get their name in print isn't even "in the wild" yet. bwahahaha
If it isn't "out there", then it is an experiment or proof of concept, not a threat, and reporting to anyone except the virus makers, MS, mozilla, etc. is just media masturbation IMHO.
The "Test vulnerability" link shows how many users can be exploited without being coaxed to drag and drop. Just click a link that does all the nasty stuff for you.
1x 'Extremely critical' > 3x 'Less Critical' vunrabilities
*sniggers*
What??? Yes it is.
FX will patch it and then another wont be found for like 6 months
IE will have another 15-20 over hte next 6 months
and of course..continual spyware and virus infections over that time..
http://jmcardle.com/
All better now
nice try
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.21
File: F
Location: Quarantine
Computer:
User:
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Jan 09 17:25:44 2005
just click "potential these exploits have"
All better now
That's like seeing a car crash at an intersection and then never going there yourself to avoid having it happen to you. There are still thousands of other places where it can happen.
Last edited by 8493 on 10 Jan 2005 - 04:14
This test does not work on my IE on SP2. But I, like a smart IE user (I use FF, but keep IE around for my GF), have pretty much everything blocked in the internet zone. It works if I add it to trusted sites.
But neowin looks crappy since it uses activex.
Nothing wrong with I.E. it's a poor with security as any other browsers, so get over it.
ActiveX is a huge security flaw, and regardless of backwards compatibility issues, should be removed. Even better, Microsoft shouldn't have been dumb enough to implement it in the first place.
ActiveX is a huge security flaw, and regardless of backwards compatibility issues, should be removed. Even better, Microsoft shouldn't have been dumb enough to implement it in the first place.
You're kidding, right? Where would the internet be without ActiveX and Java?
ActiveX controls run only when you tell them to, and only with user-level permissions. Blaming ActiveX for this problem is like blaming fuel injected engines for car accidents.
A much safer place (for windoze users), that's for sure.
Nothing like impartial reporting...when this effects me, I'll moan. Right now, I have never had a single problem with IE. Maybe it's because I don't go searching for free warez with it.
And as for impartial reporting, you are joking with the helpful advice to jump ship and the handy link to the firefox download page, this site should be renamed neofox or somthing, Neofox.net - where unprofessional fanboyism looks better
Seriously, the firefox guys seem to have forgotten the news still on the front page regarding firefox's vulnerabilities which secunia are still reporting as unpatched, all browsers will have bugs, thats life deal with it, it's how YOU browse the net that makes the difference.
also, according to secuinia, this was reported to MS on 2004/10/13:
I Know IDIOT , the comment about renaming was tounge in cheek as the bias of this site is towards firefox and any vulnerabilites for IE are always sensationalised
you really have no sense of humor do you, I could not care less for your opinion, if you read my post (assuming you can read) I and the poster above stated that we had never had problems with IE and wether or not you decide to "jump ship" still does not change the fact that it is how YOU browse the net that is the cause of the majority of problems, (e.g. porn, warez, etc) If you accept every damn pop up then you are going to have problems, Firefox is starting to have exploits and vulnerabilites, Opera has exploits and vulnerabilities, both of which i use on a regular basis, along with IE and i have never had problems with any of them, I cannot remeber the last time i had a virus, Spyware, or browser Hijack using IE, Mainly becuase i use a good and regularly updated firewall and good security settings and configuration on the bowsers i use.
So please take your troll comment and insert it where the sun does not shine, god i hate teenagers who think they know every thing
Last edited by 16997 on 09 Jan 2005 - 23:25
Last edited by 72250 on 10 Jan 2005 - 02:05
Damn todbran!!! your an idiot, put down the vtech you got for christmas, you would not be able to find any of what you listed on my systems or any of the systems i work on, because whilst we are comapring dick size, I have been a support technician for the last 13 years and it's my job to sort this kind of stuff out. So, yes, i do know what i am doing. You've owned your own shop for 10 years, so what do you want a medal for making it this far, you throw that in like i should care.
50 spybot and adaware??? what installations?? No i doubt you know wtf you are talking about when you reference the detection programs as instances of spyware and malware. I Know my systems are clean, i know that my customers machines are clean, i know that i can do my job unlike........
By the way IF you bothered to read the posts I also stated that i USE IE regularly (read everyday) as well, and for the record, i never asked for your opinion, nor do i want it!!
the same goes for me as well, now back to your "shop".
Last edited by 16997 on 10 Jan 2005 - 11:18
I do hope MS does do this with IE.
"These bugs are all fixed in Firefox 1.0 and newer, and Thunderbird 0.9 and newer."
http://www.neowin.net/comments.php?id=2657...main&highlight=
And don't give me any BS about 80% of the market using IE therefore it must be better. You guys used to brag that IE held 95% of the market a few months ago. Why the slippage? Could it be that people are discovering better alternatives?
http://www.mozilla.org/products/firefox/
http://www.opera.com/
Anyway, at least IE is consistent in its incompetance. Hope you IE ass-kissers don't wet your pants when the next round of security vulnerabilities is announced in a week or two.
It's the standard for all things good with net travel.
Ohh yeah, ya'll always hearing lamers whinning about trojans they got, bad scripts they pick up, dialers, loggers, etc.. They blame it on I.E. vulnerabilities, nah it's because you keeping looking for warez and porno.
Viva la I.E.
edit: that was supposed to be a reply to 14.3
Poor ignorant fool... There are extensions for Firefox that are designed to make surfing for porn more...pleasurable, without racking up a massive bill.
(Yes, I'm using a free TK domain reroute to a free DNS because there's no profit.
I actually find it quite funny that so many people are willing to defend a 4 year old pile of steaming poo
bahahahahaha so funny yet so true.