IE Windows vuln coughs up local files If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive. The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once …
Create features, functions, and facilities that are inherently insecure! Yee haw!
ActiveX was the first significant step down this long and slippery slope. There's an O'Reilly book on HTML from about the time of ActiveX's debut, when Netscape was still the godzilla of browsers. In it, the author specifically warns against using ActiveX on a webpage because of the security risk. Did Microsoft act responsibly? No, of course not.
From another perspective, what MS has done over the years is to tightly integrate the OS and all applications (at least those from MS). Doing this has the effect of making those apps a part of the OS, increasing the size of the OS, and hence increasing the likelihood of there being security holes.
This is nothing new. Windows and, iirc, DOS have had undocumented trap doors in them for many years, so Excel could do its own memory allocation and thereby bypass the inefficient scheme in the OS.
The thing I wonder is this: why can a small security firm figure out these holes, yet MS, with its hordes of employees, can't? Can it possibly be that MS doesn't hire the best and the brightest, or is it that it simply doesn't bother to look at the security implications of various bells and whistles?
Don't tell me it's so!
Did you not just read the article? Did it not say that these explains have be reported multiple times to Microsoft, with little effect?
They fix it?.. Kind of like they fixed the Aurora IE bug when it was reported, 3+ months before it was used to attack Google and +30 others?
I hate to say this, because Microsoft does have it moments, but the company is, well, a company. It's all about the bottom line. If it ain't broken, don't fix it; if it is broken and only a handful of security experts know about it, why bother fixing it?.. It's not until it starts causing noticeable damage that Microsoft adds it to the list of things to fix when the next 6 month update batch rolls around.
then you've probably already caught some kind of AX-abusing virus. Sorry.
I can watch YT just fine using Firefox WITH NoScript, Adblock etc all turned on to fairly high settings. Can tell you now that all it uses is a minor bit of javascript, and Adobe flash for the main player - though they are of course dabbling in open HTML5 video-embedding standards now.
It's quite an event these days when I come across a page that demands I run it in IE because it uses activeX for something and I then have to click that scary yellow bar to authorise it. There's usually a slightly less flashy (needlessly so as the other standards can more or less cover the necessary bases, it just means writing new code) workaround offered on 99% of these sites though, which makes you question how necessary it is. Or why a web app needs such intimate access with your hard disk and other systems (Photosynth being an in-house case in point btw).
It's a bit of a mystery how it ever got as widespread as it is given it was insecure, slow and viewed with great suspicion from day one. Should have died in the water...
you try securing a corporate laptop, and then deal with the wailing when the user at a faraway conference can't do their presentation/collect their emal etc. I set the up with two accounts, make the non-admin account the default etc, but looking at the junk that's installed when they next come in for a service, I suspect that admin account is used far too often.
..if the computer operator has been given authority to allow administrative actions and is then stupid enough to do so what can you do?
The same principal is true of xIX. Persuade someone to use 'su' then persuade them to launch a dangerous application. If I remember correctly Ubuntu has pretty much the equivalent of UAC so is just as vulnerable.
Only a pillock runs as 'root' on an xIX box and you have to be a bit ignorant to run as an administrtor under Windows as well.
People still on XP or earlier have a good excuse because running as a limited user on those system can be a bit of a pain (although fast user switching is a reasonable workaround most of the time in my experience). But people running Vista or Win7 have no excuse. Oh - unless they've been advised by some nerdy-know-it-all to disable UAC because it's annoying.
Apple aren't too good at it either, I've just had to weedle the admin password out of someone for theirs so I can actually use the flippin internet whlst borrowing it, because there's a couple of vital settings that are blanked out. And I'll probably just use that from then on so I don't have to go through the whole logging out and back in twice thing, which is often not very fast. Returning to the point, it can be achingly slow on XP, for sure. Not every machine has fast switching on; it seems to be missing from most that actually use the admin / serf :) concept. Maybe it's more of a Home feature than Pro...
I'm loathe to admit it but this is one of the things that linux actually gets "right". Account switching and temporary root login is fast and easy, so I've no problems - when *having* to use it - with running as a lower-authorisation user.
By default windows is acting as an SMB server right out of the box and there's just no need for it. With the server service disabled or the default shares switched off this vulberability would not work even if the user did have administrative priveleges.
Why do you need your desktop machine running the server service? In most cases you don't unless you are sharing files or printers.
Why do you need the hidden shares that most users don't even know are there? In the overwhelming majority of cases you don't.
Round here you need a good business case to activate the server service on any windows machine that isn't actually a server.
It seems that MS still haven't learned the meaning of the phrase "secure by default". Yes they spout it a lot, but until they realise that every PC doesn't need to be a server and every PC doesn't need it's drives sharing by default then it's evident that their words are empty. Remember conficker? Part of the standard advice on stopping the spread of that little nasty was to disable the server service on every machine. When are they going to get it?
The usual MS excise for this sort of crap is that the featur's there to make the users' lives easier. This is crap. It's there to make the coders' lives easier. The server service should only be started when a user tries to enable something that requires the server service to run. And when the user disables the last thing that requires the server service then the service should be stopped. And when you do something that will force the server service to start user confirmation should be asked for along with a dire warning of the potential consequences.
It is unavoidable that any large code base will contain vulnerabilities and for that reason vendors should learn that the fewer features that are enabled the fewer vulnerabilities will be exploitable on a given installation. And if the vulnerability is an exception rather than the rule the black hats won't bother trying to exploit it.
On the active directory setup I'm posting from, you can still get at the C$ share regardless of who's logged in. It's very handy for, e.g. remotely pushing driver updates to a machine whilst the person logging the problem is still logged on, without needing to start up remote desktop or anything like that. Just fire it at the appropriate folder under C$.
Though of course you still need an admin account of your own, but various of us users have one of them as our main accounts for the convenience of providing support. Which I guess means that if I was sloppy enough to use IE and get caught by one of these activeX hacks, they could have access to my whole network.
For all the good it'll do them though. Even I can't get to the truly sensitive bits of the servers, and all the workstations have crap-all in the C:\ drives as they're installed to be network drive-accessing black boxes.
Why do we still allow people to use that browser anyway, when it's illegal to drive without a seatbelt?
RW, I think the problems comes from working in a bubble and paying progressively less and less attention to the world around until it forces itself on the enterprise. The more complete monopoly one has and the more emphasis one puts on profit, the less attention is payed to other things and the easier it is to fall into that trap. Likely, insiders who nagged about such issues were probably ostracized.
Using Windows Whatever or IE Whatever in Whatever mode doesn't seem to be a big problem - the first line of the story says "If you use *any* version of Internet Explorer" and doesn't mention XP or Vista or 7 specifically. And the only links are to *similar* vulnerabilities discovered in the past, not to the actual exploit, which hasn't been released yet.
But please do go on believing that running any particular version of anything is "secure". Fact is, IE 8 is just as vulnerable as IE 7, 6, 5, 4, 3, 2, 1 - it's just that many people haven't *seen* the holes yet, not that they don't exist. And the same for Windows 7. Always just look at any security mailing list about six months after any OS is released (no point before that, because people don't like to reveal holes before people even *have* the OS to exploit) and the OS will appear there just the same as any other. Maybe a little less frequently, maybe a little more, but it'll be there.
What matters in my opinion is the response to the holes - and MS only ever seems to "be investigating" them and rarely offers a timely patch. Most MS exploits tend to be released to the public because the security researchers got bored of waiting for a patch or even comment from MS. That's not reassuring to me.
programs using their own heap allocation algorithms isn't new or limited to windows. all software ships with bugs, both known ones and unknown ones. in a private company, probably unlike linux, developers work to deadlines. the product ships on that date or the manager loses his bonus. which is more important, your manager's bonus or product quality? answers on a postcard
MS demonstrate time and time again they don't do security and because you're using IE8 you think you're safe? How long do you think it'll be before it's discovered that the oh-so-safe browser you're using ain't so safe after all? Just because MS say it's the 'safest yet' means f-all, we've been hearing that for years and still the holes keep appearing. Your smug reasoning is as flawed as their browser.
Sounds like it's dropping a VBscript into the cache, then using some jiggery pokery to run it from there in the local zone. Pretty sure that used to be possible (and was exploited) many moons ago. Still, good work to get it working again on more current OSes. In an educational sense - not as in the "great, another exploit to keep away from" sense.
As for SMB - will someone please just put it out of its misery? It's got more crap sticky taped onto it than....
People stupid enough to use Internet Explorer deserve everything they get!
It doesn't matter what we do, it's impossible to protect such people from themselves!
Anyone caught using Internet Explorer should have their computer confiscated and replaced with a big box of crayons!
And any IT department allowing IE use in their business needs to get a pin and pop the Microsoft bubble they live in!
it does seem to be a lot easier and more reliable to install on a domain network, given as it's basically a part of windows itself.
Installing the copy of Firefox I'm using on here did cause some headaches and it only gets worse if I try to use it to any serious extent off of the one workstation I put it on. Woe betide if I let it install an auto update on a different one again..... bye bye extensions, history and bookmarks...
IE8 just breezed on into the computer's pants as if it was made of champagne, chocolate and honey-dipped e-pheremones.
When you talk about the C drive, do you actually mean the C drive?
Not all Windows installations are located on, or even are fitted with a C drive.
No, I see that you do not in fact mean the C drive.
The exploit can gain access to any Windows share. This would make any and all local partitions vulnerable where administrative shares are created (C$, D$, etc).
It is possible to use Group Policy to disable their creation, which may be implemented in some environments.
I think you should have been clearer on this point for your readers. The information you offer could well be misleading.
I expect Microsoft would love to make changes to SMB networking, however I don't see any mention of Samba (SMB networking for Unix/Linux/MacOS/X etc etc) showing this hole.
So perhaps the solution is better found in Internet Explorer, or in reversing the camouflage and conflation of IE with the operating system.
The drive/partition on which you installed Windows is traditionally called the "C-drive", regardless of which letter Windows has actually assigned to it. It's more of an expression than an actual reference to your file-system. (Most of the time, anyways)
So yes - assuming the designers of this hack aren't M$ empl... err.. complete idiots - it should be smart enough to just sniff out the actual letter and use that one instead.
1) Users often dont have a choice - particularly corporate users.
2) Users dont care, they want and rightfully expect their machines to work and since they download all the updates and have paid Mcaffee this year then they are safe. They (users) often have lives outside of their computers, use them for limited and necessary tasks but really would be as happy without them.
Unfortunately your view is reflected by far too many people in IT. Get with the modern times and start realizing that IT is a service to a company, it does not earn fees, so stop being so arrogant.
I recently worked for a large broadcast company who had no specific training for users in basic computing. It was expected that people should know how to use a computer which means they rely on mostly self taught use of internet etc and at home no-one told them not to use IE.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
