More IE Flaws!

[Phantasm66]

Security experts have advised internet users to either turn off some Internet Explorer features or to use another browser. Unknown attackers who had taken control of several Web servers used the flaw last week to install a remote-access program, dubbed JS.Scob.Trojan, onto the PCs of visitors to those sites.

"I hope that Microsoft will come up with a patch soon," said Johannes Ullrich, chief technology officer for the Internet Storm Center, a site that monitors network threats. "Until they do, you basically have two choices: Disable JavaScript in Internet Explorer or install another browser."

More here.

 

[Mictlantecuhtli]

Yeah right. No matter how many flaws it has, people using it won't switch. This was already seen in Time to Dump Internet Explorer. And if you disable scripting, many sites will stop working properly.

 

[agissi]

Yeah its funny how all these "flaws" never actually 'flaw' anything of mine or effect me in anyway.

 

[acidosmosis]

I'll try not to bring up the point that other browsers lack so much that IE doesn't and how a simple firewall fixes this issue with (being attacked) and allows us to use a functional browser which has everything I need in one browser that all other browsers never can do correctly or just don't do at all. Not counting how ugly they all are (myIE2 looks alright though).

Oops!

 

[Nic]

Originally posted by ---agissi---
Yeah its funny how all these "flaws" never actually 'flaw' anything of mine or effect me in anyway.

You sound like the smoker that said "well, smoking never did me any harm" then later died of lung cancer.

Originally posted by acidosmosis
... a simple firewall fixes this issue with (being attacked) ...

Oh, and a firewall doesn't stop javascript from executing. Firewalls only block attacks that aren't the result of a response to a request from the client PC (i.e if your browser issued a request for a web page, which resulted in malicious code being downloaded as part of the response, then having a firewall won't help). Firewalls essentially stop a request (that originates from outside your PC) from reaching your system (e.g your browser, or other software).

 

[acidosmosis]

Originally posted by Nic
Oh, and a firewall doesn't stop javascript from executing. Firewalls only block attacks that aren't the result of a response to a request from the client PC (i.e if your browser issued a request for a web page, which resulted in malicious code being downloaded as part of the response, then having a firewall won't help). Firewalls essentially stop a request (that originates from outside your PC) from reaching your system (e.g your browser, or other software).

Well I will have to go with Agissi and say how come if it's such an issue I haven't had a problem? All it takes is common sense.

 

[BrownPaper]

A software firewall will not do anything either if you allow IE permission to access the internet (which most people do).

The firewall will not protect against malicious websites, etc. since you ok'ed it through the firewall.

 

[Nic]

Originally posted by BrownPaper
A software firewall will not do anything either if you allow IE permission to access the internet (which most people do).

A software firewall will allow your browser to access the web, but it will stop 'the web' from accessing your browser. The original request must start from the browser. Firewalls prevent access to your system if that access 'originates' from an external source.

 

[Nic]

Originally posted by acidosmosis
Well I will have to go with Agissi and say how come if it's such an issue I haven't had a problem? All it takes is common sense.

Common sense? If you want to live up to that statement then follow the advisory (i.e. "Disable JavaScript in Internet Explorer or install another browser.").

Did all those users that suffered from the 'Blaster' attack use good common sense (i.e they never had any problems before, so why should they have kept up to date with patches and thus prevented the problem?).

The point being that hackers only start to target exploits once they know about them. Because of the security alert, then hackers are already aware of these issues and may decide to target users using newly discovered exploits. Does common sense prevail?

 

[Per Hansson]

acidosmosis; your point is seriously flawed.

The issue talked about here is that many _major_ dot-com sites (including banks) where hacked into and got some javascript code appanded to their html files, so that whenever you requested any page on their site you also got back a Trojan that logged all your keystrokes.

Since this trojan comes from the server you request the page from your firewall will _not_ block it!

I suggest you read up on things before you make such claims as you do, I am sorry to be so harsh but this is a very serious issue. There is currently no patch for this flaw in Internet Explorer that other browsers are not affected of.

Even CERT advised that you should not use Internet Explorer for this reason.

 

[agissi]

You pose a very good reply Nic, however I have a hard firewall in my router so thats probably why I dont seem to be having any hitches.

 

[acidosmosis]

Originally posted by Nic
Common sense? If you want to live up to that statement then follow the advisory (i.e. "Disable JavaScript in Internet Explorer or install another browser.").

Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.

And yes obviously I know what a firewall does, but the fact remains (and yes it is a fact) that a firewall and common sense is all you need to be completely fine. I've survived on the web for about 10 years with hardly any problems. And up until about 2 weeks ago, that was without a firewall, without turning anything off in IE, or doing any of these things the so called "experts" recommend.

No offence to any of you guys, but if your having so many problems and are so scared that you have to switch browsers then you can't make it out like because you switched to another browser it makes you "smart". That only means you can't handle the heat and dont know how to avoid problems.

 

[acidosmosis]

Originally posted by Per Hansson
I suggest you read up on things before you make such claims as you do, I am sorry to be so harsh but this is a very serious issue. There is currently no patch for this flaw in Internet Explorer that other browsers are not affected of.

And I suggest you read what I said and quit making assumptions and turning my posts around into meaning something totally different.

Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period.

 

[Rick]

Hardware or software firewall isn't going to stop a scripted exploit through Internet Explorer.

If you visit an "infected" website.. You've already accepted the connection. It isn't about connection, it's about scripts running on your computer.

Disabling Javascript would probably be the only fix for this... Until a patch is released of course. A good virus scanner which scans Internet Explorer scripts before they executed would probably stop this too.

 

[agissi]

Ya or you could just not go to the sites with this crap.

 

[Rick]

Originally posted by ---agissi---
Ya or you could just not go to the sites with this crap.

haha.. Yep.

I wonder which sites have been HaX0r3d?

 

[Unregistered]

Originally posted by acidosmosis
Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.

Last time I checked today, Firefox has Javascript.

 

[BrownPaper]

Originally posted by acidosmosis
Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.

Last time I checked today, Firefox has Javascript.

 

[Nodsu]

I think acidosmosis should be reminded that he was the one starting the infamous Blaster thread..

You shouldn't make "common sense = no problems" claims when we all know that you have had issues.

 

[BrownPaper]

Common sense also suggests the principle, "better safe than sorry."

Acid i do not know how continuing to use IE despite security warnings by security experts is common sense. Apparently, you do not believe in the credibility of these security experts so I guess there is nothing that will sway you from you position.

 

[Per Hansson]

Originally posted by acidosmosis
And I suggest you read what I said and quit making assumptions and turning my posts around into meaning something totally different.

Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period.

Originally posted on ISC Daily diary 2004-06-25
A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.

The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.

Originally posted by acidosmosis
Who cares what IE is affected by, other than the general public. If your so afraid and get hit by exploits so much then you need to rethink your level of expertise. Period.

Let me ask you one thing Acid, do you know the sites you visit so well that you can be 100% certain that they have not been hacked into without the siteadmin knowing it?

The Internet Storm Center mentioned in one of their news diaries that major sites had been targeted.. Including banks. The only thing you would need to do is visit these hacked sites frontpage and you would be infected. No error message would be delivered by explorer or your computer and the site you visit would look exactly the same it did before the attack.

Furthermore antivirus definitions where not available for these problems until several days after the initial attack, and as we all know the people creating these viruses/trojans only need to slightly change them so they are not detected by the latest AV definitions...

Originally posted by acidosmosis
Eh, Nick.. only an ***** would disable JS. Then your browser isn't worth much more than this crap they call Firefox for example.

Maybe you should quit making these assumptions? Firefox handles JavaScript very fine thank you. Plus it does it without the added benefit of allowing sites to install backdoor to your computer without any information.

Originally posted by acidosmosis
And yes obviously I know what a firewall does, but the fact remains (and yes it is a fact) that a firewall and common sense is all you need to be completely fine. I've survived on the web for about 10 years with hardly any problems. And up until about 2 weeks ago, that was without a firewall, without turning anything off in IE, or doing any of these things the so called "experts" recommend.

Yet again I want you to realize that a firewall would do nothing to stop this sort of attack we see here, since the file is downloaded from the server you request data from.

Originally posted by acidosmosis
I'll try not to bring up the point that other browsers lack so much that IE doesn't and how a simple firewall fixes this issue with (being attacked) and allows us to use a functional browser which has everything I need in one browser that all other browsers never can do correctly or just don't do at all. Not counting how ugly they all are (myIE2 looks alright though).

Internet Explorer does not offer _any_ additional functionality compared to Opera or Firefox, the _only_ thing it offers is compability with sites that do not follow the W3C standard.

Yet again, a firewall would _not_ stop this kind of attack we saw here from happening where a large number of websites where hacked into and got some javascript code appended dynamically to every html file the server serves to endusers.

 

[agissi]

Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws.

 

[Nic]

Originally posted by ---agissi---
Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws.

And exactly how do you tell which sites are/aren't infected? :blackeye:

Maybe you are psychic, unlike the rest of us here, no?

Seems to me that everything posted here went completely over your head.

 

[young&wild]

Originally posted by ---agissi---
Not too sure where all the post's went (including mine) but I'll say it again, just stick away from the sites with this stuff to mess you up, be cool like me, and you dont need to worry about all the reported flaws.

Dude, i m just curious how do you know if a website is safe or not? We are talking about Java script here not like your ordinary virus attack that doesn't use Java script.

I suggest you please READ Per's last post a few times thoroughly before posting ANY new comments.

 

[Rick]

I understand sticking with an argument.. That's what makes discussion fun.

But there's a point where you have to throw in the towel. This point occurs when your argument is contested by fact.

FACT: This exploit only affects IE users. Javascript can be run on most browsers. But this is an exploit which only takes advantage of IE's security flaws only. So other browsers are not susceptible (for the time being)

FACT: A firewall does not stop javascript. That's up to you. However, a future security patch, disabling java script or an antivirus able to detect the exploit may prevent infection.

FACT: You do not know all of the sites that are infected. The websites are bugged unknowingly by a hacker. Not even the web admin may know about the problem (otherwise it would probably be fixed...). So us individuals DEFINTELY don't know if a site has been compromised or not. Don't assume you do.