IE Hole Is Actually A "Feature"!

By Derek Sooman on July 5, 2004, 4:33 AM
You will recall that last week security experts (man, what a cool job!) released evidence that there were certain vulnerabilities in IE and IIS 5.0 that could allow hackers to redirect browsers and download a keylogging trojan from a Russian website. We posted a story about a released fix, here.

Anyway, you will be interested I am sure to find out this security flaw is actually a feature that allows an ActiveX ADODB.Stream object to read and write files on a hard drive. [COLOR=#1951B9]Attackers used this "feature" to download copies of a keystroke logging trojan onto the unsuspecting browser user's computers.[/COLOR]

In addition to the fix, there is also now a workaround in progress, and rest assured Microsoft is currently thinking up more "features" for us as we speak.




User Comments: 28

Got something to say? Post a comment
Mictlantecuhtli said:
Somehow I find scripts that don't have read/write access to local files to be more secure..
Phantasm66 said:
What, you mean as in UNIX, basically? Yeah.
STK said:
thank god IE isnt good, lol it stopped working for me a little while ago.
Phantasm66 said:
I've started using [url=http://www.mozilla.org/products/firefox/]Firefox [/url]for anything I consider in any way hostile (i.e. just about every web site out there!)
STK said:
I am using Mozilla, since IE stopped working.
Federelli said:
I second that Phantasm66.Though my IE hasn't stoped working at all. But i did use to get lots of adware, and with firefox, i've not used ad-aware for a long time now.I wonder what you meant with "features" ;)
Phantasm66 said:
...and when Longhorn arrives, I am sure that will be "feature" packed as well!
STK said:
Yes, i think it will be... just like every other windows OS.
Phantasm66 said:
Just think about all of the "features" Microsoft is working on right now...
STK said:
Ya, i think they will probably have a more advance "feature" where anyone is allowed to access your windows folder.
Phantasm66 said:
I can very vividly picture Bill Gates in my head saying "....and its got these really cool [i]features[/i], where blah blah blah...." I think a much better approach to modern software engineering on products destined for the unwashed masses should be to rank what people hate about computers and exterminate everything on the list. Then [i]redesign[/i] based on that. Not add more problems to something that's already got enough problems, thanks.Its doesn't take much imagination to put things like spam, security holes, viruses and so forth on that list, and design product that from the ground up just aren't susceptable to these things, full stop. All of this going around adding "features" is basically adding extra bugs onto things that are already bug ridden and messy. If Firefox shows us anything, is that a sucessful product is simple in design, just does what you want it to do, and does not permit anything annoying. End of story.
STK said:
Ya, i can see bill saying that. I can also picture the windows where you are working on a word document and it crashes and says Error 263472562738253822936(also known as some cracker is looking at you personal files right now and we think it would help if we ended word.Then that guy that uses linux and doesnt get any bugs, viri, trojans, adware, or spyware that got your IP address from who knows where(one of the millions of places that your IP is just waiting to be taken), is sitting at his computer laughing at you.
Mictlantecuhtli said:
[quote][i]Originally posted by Phantasm66 [/i]All of this going around adding "features" is basically adding extra bugs onto things that are already bug ridden and messy. If Firefox shows us anything, is that a sucessful product is simple in design, just does what you want it to do, and does not permit anything annoying. [/quote] Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. [i]-- Antoine de Saint-Exupery[/i]
BrownPaper said:
Microsoft has good intentions trying to create the capabilities to have programs do more and more. Their problem is that their software sometimes does more than we want it to (without our consent). Shoddy programming is making things very complex and huge. Just make it do what the software is supposed to do and not make it do anything else.
Strakian said:
funny how this never realy effects "joe schmoe user" like it effects people in the know. Ignorance is bliss after all... I remember when features sounded like a good thing.
Phantasm66 said:
The problems ARE affecting you, you just don't know its happening. Its like being infected with a virus on your machine and you don't have anti-virus software so you don't even know its there.But that doesn't change the fact that it IS there.
Strakian said:
true, but I was making the point that joe schmoe only checks his e-mail and looks up flights occasionally... they're not running their offices network security or anything... you know, the guys with a AMD 600 and no reason to upgrade.Thought I'd throw this out there too, in regards to the Anti-Virus: I recently found that Avast- AntiVirus is a great FREEWARE anti virus. You have to register, but it's free and hassle-free, just fill out like a 3 second form and they e-mail you a reg code that's valid for a year.. then when the year is up, register again for free!! I'm not one for advertising, but it's definitley worth a look. It even scans incoming website trojans, much related to this topic, so I KNOW I was having issues with this IE 'Feature' on one of my comps.You can get Avast from download.com
fictionised said:
Opera owns.[url]www.opera.com[/url]
Phantasm66 said:
[quote][i]Originally posted by Mictlantecuhtli [/i]Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. [i]-- Antoine de Saint-Exupery[/i] [/quote] Really, it IS true. You can't believe how better my computing seems now I have striped away alot of the unnecessary rubbish like:1)Dual booting2)Having small screens with lots of windows open3)Constantly chasing all of the most "up-to-date" application suites like office, photoshop, macromedia, etc......and just concentrated on pure [b]USE[/b].If you don't use something don't bother installing it and the best software to use is likely to be that which is simple and effective in a great many cases.[quote][i]Originally posted by Strakian [/i]true, but I was making the point that joe schmoe only checks his e-mail and looks up flights occasionally... they're not running their offices network security or anything... you know, the guys with a AMD 600 and no reason to upgrade.[/quote]...which is exactly why these guys need simple, bug-free software just like Mozilla Firefox that is not prone to complex and annoying problems. These people aren't equiped to deal with these complex security issues and so forth so they need to know its being delt with. A lot of the problems that "joe nobody" experiences with computing IS result of security problems and viruses, they just don't realise it. They blame themselves. They think its just "them being stupid" and don't realise that they have a virus infection or anything like that because they have no anti-virus software and don't know how to get it or that they need it.
CountMackulaHPT said:
First thing...i'm a little tired of everyone bashing Microsoft so badly...they may not be a perfect company, but their visions and intentions are usually for the better...the problem isn't them so much...the problem is this world is filled with A-holes who have nothing better to do than try to exploit someone elses creations/products...these "hackers"...who instead of using their programming knowledge for the better of the world...try to take the easy route to steal credit card numbers or just screw up hard working people's computers for pure enjoyment...the reason microsoft is the most vulnerable is because they have the most users...of course some new browser that has not been around long and isn't used by 90% of web user's isn't likely to have attacks...there's no benefit in hacks trying to pick apart that software...no, they want to affect more people when they strike...and who has more customers than microsoft...people do things on the internet that they would never do in person...people that would never walk into a CD store and try to run out with a bunch of free CD's will download free songs off the internet all day and all night and don't see the difference...although you might argue about kazaa vs. the radio or something like that, the point is it comes down to computer ethics...you all make it sound like Microsoft is SOOOOO evil and they purposely try to make their code easily exploitable...that's just silly....they pour millions into software writing...they have many, many code writers and code checkers working together...that's a tough task to do right there...but instead they get bashed by people that either know nothing about writing software, in whatever language, or by people who have maybe written a program with 1/1000000 the lines of code and intricacy of Microsoft's Windows OS...sure it's not perfect...but that's the American way....make a buck...make a buck...make a buck....they're going to add new features, they're going to try to speed things up and make things run more fluidly...maybe all the microsoft bashers in the world need to spend their forum writing time more wisely...like trying to educate people on computer ethics...or trying to inform these "joe schmoes" how to avoid these trojans and virus's...since you all are the "experts" that you say you are...then you should be helping the computer illiterate...and as far as the person that said to design the software to not be suseptable to a list of bugs...maybe Microsoft could take more time to get some things right...but everyone complains as soon as they push their new OS back a little because they are IMPATIENT...if you have a problem with it, it's not hard to become a Microsoft beta tester and let them know of bugs in their beta releases...people are more worried about benchmarking and features though....that's why they want to pack them with features...look at any longhorn review you have ever seen...they all talk 99% about features....new file systems...new gui's...etc....and they sometimes mention that something wasn't working properly...yet...and it's a beta...but everyone wants to know what "features" are different about Longhorn than XP...what's new...then when Microsoft delivers on that front...40% of the people complain and complain...20% try to find exploits and the rest are the joe schmoe's and decent people that are trying to use their computers for the powers of good...what would you say if Microsoft's next OS shipped sometime soon...and when you got it it was exactly the same as XP except they made it hackproof...inpenetrable to virus's and attacks...uncrashable...(which is unlikely btw, that ANY company could pull that one off) but all you whiners would do is whine that it's not more advanced than XP...MS didn't give you any new features...whine whine whine whine whine...and while we're on the subjects of MAC OS and LINUX...let's pretend that one of those systems crushed MS out of the OS business...and since they are unlikely to go bankrupt any time soon...they'd probably survive in different markets somehow, they do have billions, but what makes you all think that the evil computerdoers of the world wouldn't suddenly start trying to find ways of exploiting other OS's...believe me they would...i am aware there is no way to post a message like this without a slew of replies, and that's fine...everyone's entitled to their opinions....it just seems to me that Microsoft does not intentionally try to make ther software be easy to attack by rogue programmers...but more the fact that this world is full of f*cked up people who only want to make other people's lives miserable...
Phantasm66 said:
A very good and well thought out reply :)
Nic said:
CountMackulaHPT: How about some juditious placement of whitespace in your future posts? Maybe it'll make it easier to read :=).I think people bash Microsoft because it is currently fashionable, and because they don't like monopolies that overprice their products to a captive market. There is no getting away from the fact that Windows XP is still the best balanced OS available in terms of usability and features. Once Microsoft shake off the legacy of having to run old 16 bit code, then things will improve significantly. Now that .NET is here, and Longhorn is being built on .NET (as are future Microsoft products) then we should see a huge leap forward in terms of security and stability. You can't make major advancements overnight, but with security being such a hot topic of late (it wasn't a few years ago), you can bet that future Microsoft products will be worth the wait.
Vehementi said:
CountMackulaHPT, both the standard PPC, x86, and x64 architectures all have something in common: the Enter key. It is used to facilitate use of the paragraph, which is very efficient in using line breaks to better organize large blocks of text, which you seem to be keen on using. It thus assists in more efficient lecturing of the information presented. Please do not neglect this tool in the future, because as you can see it expedites better understanding and as thus contributes more to general information provided in this magnificent library of knowledge we have here now.
Strakian said:
you've put me in my place CountMackulaHPT, a good read, and a good point.Sometimes all you need is a different perspective.
DigitAlex said:
Vehementi seems to have taken some english courses or something :D It's good to see you writing nice stuff, not like in IRC hehehe.
BrownPaper said:
Apparently, even Microsoft's own online magazine Slate is bashing Internet Explorer in favor of Mozilla Firefox."No matter how well they had protected themselves against viruses, spyware, and everything else in the past, they were still vulnerable to yet another flaw in Microsoft's browser."[url]http://slate.msn.com/id/2103152/[/url]I am sure Microsoft will get their act together eventually, however. In the mean time, I am suspicious.
Nodsu said:
Why not blame the construction company that built you a house with lockable bulletproof windows.. that can be lifted off the wall by using convenient handles on the outside?And please do use the "paragraphs". They were invented some centuries ago I believe and there are no pending MS patents AFAIK :p
Phantasm66 said:
I think all of you need to shut up and listen to me:IE is buggy as hell and Microsoft are evil, OK ? ;)
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.