More IE Flaws!

By Derek Sooman on June 29, 2004, 7:43 AM
Security experts have advised internet users to either turn off some Internet Explorer features or to use another browser. Unknown attackers who had taken control of several Web servers used the flaw last week to install a remote-access program, dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.

[COLOR=#1951B9]"I hope that Microsoft will come up with a patch soon," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a site that monitors network threats. "Until they do, you basically have two choices: Disable JavaScript in Internet Explorer or install another browser." [/COLOR]

More here.




User Comments: 30

Got something to say? Post a comment
Mictlantecuhtli said:
Yeah right. No matter how many flaws it has, people using it won't switch. This was already seen in [url=http://www.techspot.com/vb/showthread.php?s=&threadid=1
698]Time to Dump Internet Explorer[/url]. And if you disable scripting, many sites will stop working properly.
---agissi--- said:
Yeah its funny how all these "flaws" never actually 'flaw' anything of mine or effect me in anyway.
acidosmosis said:
I'll try not to bring up the point that other browsers lack so much that IE doesn't and how a simple firewall fixes this issue with (being attacked) and allows us to use a functional browser which has everything I need in one browser that all other browsers never can do correctly or just don't do at all. Not counting how ugly they all are (myIE2 looks alright though).Oops!
Nic said:
[quote][i]Originally posted by ---agissi--- [/i]Yeah its funny how all these "flaws" never actually 'flaw' anything of mine or effect me in anyway. [/quote]You sound like the smoker that said "well, smoking never did me any harm" then later died of lung cancer.[quote][i]Originally posted by acidosmosis [/i]... a simple firewall fixes this issue with (being attacked) ...[/quote] Oh, and a firewall doesn't stop java script  from executing. Firewalls only block attacks that aren't the result of a response to a request from the client PC (i.e if your browser issued a request for a web page, which resulted in malicious code being downloaded as part of the response, then having a firewall won't help). Firewalls essentially stop a request (that originates from outside your PC) from reaching your system (e.g your browser, or other software).
acidosmosis said:
[quote][i]Originally posted by Nic [/i]Oh, and a firewall doesn't stop java script  from executing. Firewalls only block attacks that aren't the result of a response to a request from the client PC (i.e if your browser issued a request for a web page, which resulted in malicious code being downloaded as part of the response, then having a firewall won't help). Firewalls essentially stop a request (that originates from outside your PC) from reaching your system (e.g your browser, or other software). [/quote] Well I will have to go with Agissi and say how come if it's such an issue I haven't had a problem? All it takes is common sense.
BrownPaper said:
A software firewall will not do anything either if you allow IE permission to access the internet (which most people do). The firewall will not protect against malicious websites, etc. since you ok'ed it through the firewall.
Nic said:
[quote][i]Originally posted by BrownPaper [/i]A software firewall will not do anything either if you allow IE permission to access the internet (which most people do). [/quote]A software firewall will allow your browser to access the web, but it will stop 'the web' from accessing your browser. The original request must start from the browser. Firewalls prevent access to your system if that access 'originates' from an external source.
Nic said:
[quote][i]Originally posted by acidosmosis [/i]Well I will have to go with Agissi and say how come if it's such an issue I haven't had a problem? All it takes is common sense. [/quote]Common sense? If you want to live up to that statement then follow the advisory (i.e. "Disable java script  in Internet Explorer or install another browser."). Did all those users that suffered from the 'Blaster' attack use good common sense (i.e they never had any problems before, so why should they have kept up to date with patches and thus prevented the problem?).The point being that hackers only start to target exploits once they know about them. Because of the security alert, then hackers are already aware of these issues and may decide to target users using newly discovered exploits. Does common sense prevail?
Per Hansson said:
acidosmosis; your point is seriously flawed.The issue talked about here is that many _major_ dot-com sites (including banks) where hacked into and got some java script  code appanded to their html files, so that whenever you requested any page on their site you also got back a Trojan that logged all your keystrokes.Since this trojan comes from the server you request the page from your firewall will _not_ block it!I suggest you read up on things before you make such claims as you do, I am sorry to be so harsh but this is a very serious issue. There is currently no patch for this flaw in Internet Explorer that other browsers are not affected of.Even CERT advised that you should not use Internet Explorer for this reason.
---agissi--- said:
You pose a very good reply Nic, however I have a hard firewall in my router so thats probably why I dont seem to be having any hitches.
acidosmosis said:
[quote][i]Originally posted by Nic [/i]Common sense? If you want to live up to that statement then follow the advisory (i.e. "Disable java script  in Internet Explorer or install another browser."). [/quote] Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.And yes obviously I know what a firewall does, but the fact remains (and yes it is a fact) that a firewall and common sense is all you need to be completely fine. I've survived on the web for about 10 years with hardly any problems. And up until about 2 weeks ago, that was without a firewall, without turning anything off in IE, or doing any of these things the so called "experts" recommend.No offence to any of you guys, but if your having so many problems and are so scared that you have to switch browsers then you can't make it out like because you switched to another browser it makes you "smart". That only means you can't handle the heat and dont know how to avoid problems.
acidosmosis said:
[quote][i]Originally posted by Per Hansson [/i]I suggest you read up on things before you make such claims as you do, I am sorry to be so harsh but this is a very serious issue. There is currently no patch for this flaw in Internet Explorer that other browsers are not affected of.[/quote] And I suggest you read what I said and quit making assumptions and turning my posts around into meaning something totally different.Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period.
Rick said:
Hardware or software firewall isn't going to stop a scripted exploit through Internet Explorer.If you visit an "infected" website.. You've already accepted the connection. It isn't about connection, it's about scripts running on your computer.Disabling java script  would probably be the only fix for this... Until a patch is released of course. A good virus scanner which scans Internet Explorer scripts before they executed would probably stop this too.
---agissi--- said:
Ya or you could just not go to the sites with this crap.
Rick said:
[quote][i]Originally posted by ---agissi--- [/i]Ya or you could just not go to the sites with this crap. [/quote] haha.. Yep. :)I wonder which sites have been HaX0r3d?
Unregistered said:
[quote][i]Originally posted by acidosmosis [/i]Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.[/quote] Last time I checked today, Firefox has java script .
BrownPaper said:
[quote][i]Originally posted by acidosmosis [/i]Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.[/quote] Last time I checked today, Firefox has java script .
Nodsu said:
I think acidosmosis should be reminded that he was the one starting the infamous Blaster thread..You shouldn't make "common sense = no problems" claims when we all know that you have had issues.
BrownPaper said:
Common sense also suggests the principle, "better safe than sorry."Acid i do not know how continuing to use IE despite security warnings by security experts is common sense. Apparently, you do not believe in the credibility of these security experts so I guess there is nothing that will sway you from you position.
Per Hansson said:
[quote][i]Originally posted by acidosmosis [/i]And I suggest you read what I said and quit making assumptions and turning my posts around into meaning something totally different.Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period. [/quote] [quote][i]Originally posted on ISC Daily diary [URL=http://isc.sans.org/diary.php?date=2004-06-25]2004-06-2
[/URL][/i]A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with java script  to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.If a user visited an infected site, the java script  delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system. The java script  uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.[/quote][quote][i]Originally posted by acidosmosis[/i]Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period.[/quote]Let me ask you one thing Acid, do you know the sites you visit so well that you can be 100% certain that they have not been hacked into without the siteadmin knowing it?The Internet Storm Center mentioned in one of their news diaries that major sites had been targeted.. Including banks. The only thing you would need to do is visit these hacked sites frontpage and you would be infected. No error message would be delivered by explorer or your computer and the site you visit would look exactly the same it did before the attack.Furthermore antivirus definitions where not available for these problems until several days after the initial attack, and as we all know the people creating these viruses/trojans only need to slightly change them so they are not detected by the latest AV definitions...[quote][i]Originally posted by acidosmosis[/i]Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.[/quote]Maybe you should quit making these assumptions? Firefox handles java script  very fine thank you. Plus it does it without the added benefit of allowing sites to install backdoor to your computer without any information.[quote][i]Originally posted by acidosmosis[/i]And yes obviously I know what a firewall does, but the fact remains (and yes it is a fact) that a firewall and common sense is all you need to be completely fine. I've survived on the web for about 10 years with hardly any problems. And up until about 2 weeks ago, that was without a firewall, without turning anything off in IE, or doing any of these things the so called "experts" recommend.[/quote]Yet again I want you to realize that a firewall would do nothing to stop this sort of attack we see here, since the file is downloaded from the server you request data from.[quote][i]Originally posted by acidosmosis[/i]I'll try not to bring up the point that other browsers lack so much that IE doesn't and how a simple firewall fixes this issue with (being attacked) and allows us to use a functional browser which has everything I need in one browser that all other browsers never can do correctly or just don't do at all. Not counting how ugly they all are (myIE2 looks alright though).[/quote]Internet Explorer does not offer _any_ additional functionality compared to Opera or Firefox, the _only_ thing it offers is compability with sites that do not follow the W3C standard.Yet again, a firewall would _not_ stop this kind of attack we saw here from happening where a large number of websites where hacked into and got some java script  code appended dynamically to every html file the server serves to endusers.
---agissi--- said:
Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws.
Nic said:
[quote][i]Originally posted by ---agissi--- [/i]Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws. [/quote]And exactly how do you tell which sites are/aren't infected? :blackeye: Maybe you are psychic, unlike the rest of us here, no? :confused:Seems to me that everything posted here went completely over your head. :rolleyes:
young&wild said:
[quote][i]Originally posted by ---agissi--- [/i]Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws. [/quote] Dude, i m just curious how do you know if a website is safe or not? We are talking about Java script here not like your ordinary virus attack that doesn't use Java script. I suggest you please READ Per's last post a few times thoroughly before posting ANY new comments.
Rick said:
I understand sticking with an argument.. That's what makes discussion fun. :)But there's a point where you have to throw in the towel. This point occurs when your argument is contested by fact.FACT: This exploit only affects IE users. java script  can be run on most browsers. But this is an exploit which only takes advantage of IE's security flaws [i]only[/i]. So other browsers are not susceptible (for the time being)FACT: A firewall does not stop java script . That's up to you. However, a future security patch, disabling java script or an antivirus able to detect the exploit may prevent infection.FACT: You do not know all of the sites that are infected. The websites are bugged unknowingly by a hacker. Not even the web admin may know about the problem (otherwise it would probably be fixed...). So us individuals DEFINTELY don't know if a site has been compromised or not. Don't assume you do.
Godataloss said:
So I can use firefox to pay my credit card later? I'm likeing it more and more. I can almost see agissi's and acid's points(if you totally disregard the fact that you have no way of knowin which sites are infected), but using IE is becoming akin to using day-glo skins in a deathmatch- why make yourself more of a target? There is daring and then there is stoopid...
Nic said:
[quote]THE US GOVERNMENT has sent out a warning out to internet users through its Computer Emergency Readiness Team (US-CERT), pleading users to stop using Microsoft's Internet Explorer. Following a malware attack last week which targeted a known flaw in IE, like so many other attacks, the US-CERT recommended using alternative browsers thanks to their increased security. Microsoft is hurriedly trying to increase IE's security with the Windows XP Service Pack 2, but it's not fast enough for many. In a vulnerability note released by US-CERT, it says "there are a number of significant vulnerabilities in technologies relating to the IE domain" and that "it is possible to reduce exposure to these vulnerabilities by using a different web browser." Well, they're right. The latest "extremely critical" IE bug has still not been patched by Microsoft. [/quote] [URL=http://www.theinquirer.net/?article=16922]Internet Exploder will harm your machine[/URL]
---agissi--- said:
[b] Lay it down Rick! :D [/b]And to the point of how I know what sites are infected or not - It comes naturally, hence im clean to date :)
Nic said:
Uranus :p
---agissi--- said:
Yeah maybe its the home land 8)
Rick said:
[quote][i]Originally posted by ---agissi--- [/i]And to the point of how I know what sites are infected or not - It comes naturally, hence im clean to date :) [/quote] :D
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.