digg

Facebook Connect Join Digg About

Zero-Day IE Exploit Takes Control of PCs

eweek.com Yikes, all you have to do is browse to the affected page. Glad I have Firefox!

Who dugg this? Made popular Nov 22, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

82 Comments

show profanity settings
expand all
  • tempusrob, on 10/12/2007, -0/+5Cue arguments about market share in 3 ... 2 ... 1 ...
  • nymphetamine, on 10/12/2007, -1/+4wait....whats this "internet explorer" i keep hearing about? lol.
  • Jorg, on 10/12/2007, -0/+3Come on folks RTFA, what is this slashdot?

    All they can do is cause an EXISTING program to launch. They cannot control that program in anyway! They cannot even pass it any start-up options!

    1. It can launch a EXE that is already on your system. (They cannot use it to put malicious code on your system.)
    2. It (at this time) cannot pass any parameters to that exe. (Makes it nearly impossible to actually do any thing malicious.)
    3. If you have SP2 and your security settings set to the default you will get a warning.

    Yes it is a risk, no it is not a big deal. They can do a lot more damage just by asking people *download this cool game!!!!!* which people do all the time.

    The title is complete BS, this cannot be use to take control of your PC.

    Jorgie
  • burke, on 10/12/2007, -0/+2The problem with not working as admin on a win box is that (AFAIK) there is no simple way to switch to admin momentarily (other than suspending your session), whereas in Linux, you can 'sudo'. 90% of the things you need elevated privileges for anyway are from the CLI. gksu even lets you run a windowed program as root. On Windows the only way I know is to hit +L to switch users, more or less logging you out.

    Case in Point, Even though most windows users don't care/realize the danger in using admin, many more, myself included, are simply too lazy to log out every 5 minutes.
  • ToadPedestal, on 10/12/2007, -0/+2First: javascript will not allow you to take control of a PC, no matter how nonrestrictive an implementation. The only way to control a PC with javascript is to use javascript that breaks the browser and puts malicious code into memory. That would be due to poor coding.

    Second: running as a non-admin isn't the solution. It just provides more layers. If someone compromises your user account in any operating system, they essentially have access to anything that user does, including any passwords you might use to log in to your bank, or Quicken data, or your porn collection, or your other generally private things. Presumably with a windows machine you're running everything as the same user, anyway, so the only difference between admin access and non-admin is that they can control at a lower level.

    Last: Firefox is not immune. The people responsible for Firefox are shaking in their boots about a grand-scale Firefox exploit like this, though. It would kill their market share and their name would be soiled. They cannot afford it. Microsoft and IE, on the other hand, already have a reputation for being insecure. Nobody seems to care, though. It's like saying the operating system on your DVD player has a security flaw, but you can still watch your DVDs. They go, "oh, that's too bad," and never give it a second thought. They don't see any alternatives, I guess, save buying a Mac.
  • jasqwerty, on 10/12/2007, -0/+2Working as root on your unix box = bad idea
    Working as admin on your win box = bad idea

    One day that'll sink in and these exploits will be worthless.
  • CatcherInTheWhy, on 10/12/2007, -0/+1two things:

    1) People with XP Pro should run as Power-Users. You can't do this from the "Users" Control Panel but you can access it from the Computer Management program (Start... All Programs... Administrative Tools). I run as a Power User and I have to do a lot less switching back and forth, although it is still necessary sometimes. "Limited" accounts are for children, etc. Run as a Power User.

    2) The reason why Microsoft doesn't issue some patches is that when they release a patch, it gets reverse-engineered and then the exploit is made widely known. By only releasing the patches when things become a problem, they keep the problem from exploding too soon.

    -my $.02
  • rizzo, on 10/12/2007, -1/+2IE has to much market share, Every one switch to firefox
  • Prod_Deity, on 10/12/2007, -1/+2Once again, I'm glad I use Linux & Mac OS X.
  • ursabear, on 10/12/2007, -0/+1I had not dugg this yet... glad it came to the front page...
  • cool4u2view, on 10/12/2007, -0/+1Exploit not working for me/on me/to me
  • ichthus, on 10/12/2007, -0/+1Am I missing something?

    I copied the proof of concept code, saved it as ie_exploit.htm, and opened it in IE. IE gave me a warning bar, and I enabled the active content. Then... nothing. I clicked the WinXP link and then... nada.

    I normally use Firefox, but I wanted to see this exploit in action. But, no worky.

    IE Version: 6.0.2900.2180.xpsp_sp2_rtm...
  • Portfolioso, on 10/12/2007, -0/+1That proof of concept crashes Firfefox on me
  • J_Omega, on 10/12/2007, -2/+3@ mr804 : "Yeah firefox never had a patch."

    The thing is is that FireFox is pretty open about what bugs it contains, alerts the community, and then tries to fix the flaws IMMEDIATELY.

    What we see here is MS knowing _FOR_MONTHS_ about this exploit that lets a malicious web-page take over an entire PC, but they deemed it low-priority until it was made aware to the public at large.

    See the difference? If not, read it again. If not still, stop posting. Anywhere.
  • Pizpump, on 10/12/2007, -0/+1"Has anyone tried this exploit with the calc.exe form FrSirt that was referenced in the article?"

    Tried loading & reloading the page and nothing happened. Checked my apps & processes in the task manager and it's not there.
  • jackspack, on 10/12/2007, -2/+3how about before you youngins go spouting off about things you have no clue about, go read a site like this http://www.us-cert.gov/cas/bulletins/SB05-313.html
    check out the archives. you may be surprised to see firefox has just as many holes as IE.
    It is all about who gets the bad press.
  • alexandreracine, on 10/12/2007, -0/+1[quote]"how about before you youngins go spouting off about things you have no clue about, go read a site like this [site] check out the archives. you may be surprised to see firefox has just as many holes as IE. It is all about who gets the bad press."[/quote]

    Nop, I prefer these two...
    http://secunia.com/product/4227/ (firefox1) Less critical
    http://secunia.com/product/11/ (IE6) Extremely critical

  • oepapel, on 10/12/2007, -0/+0"As an Administrator, run "gpedit.msc" Open Computer Configuration > Windows Settings > Local Policies > User Rights Assignment. Open the item "Change system time" and add your wife's user account, or the group Users. If you add the Users group, make sure to click on "Object Types" in the Add User/Group dialog, and check "Groups." "

    But as a Limited User, I don't want her to change the system time. For that matter, I don't want to change the system time either. The system updates itself with a time server. Just on that alone, the Apply button should be disabled. I DO want her to be able to LOOK at the calendar though. And there is no solution for just VIEWING the calendar. I mean, if I was just going to start adding extra permissions to her account, I might as well make her an administrator and be done.

    My point is that this is an example of how NO ONE at Microsoft takes LUA accounts seriously and I doubt a single user at microsoft ran as a LUA while developing XP. This is just one example of how microsoft gives security only a passing thought and their claims to the contrary are merely lip service.

    And before someone comes on here and tells me that vista will be different, just remember that the security model in NT hasn't significantly changed since the first release. ACL's were there from the very beginning and better security has ALWAYS been held up as a new feature with every new release of the codebase. Vista's security model will not differ significantly either.

    Fool me once, Microsoft...
  • zdiggler, on 10/12/2007, -0/+0I run Admin on my XP box. I have nenver used a Virus software. I don't have any firewall software installed or enabled on my computer. My wireless router is set to default other then passowrd. I use Firefox and Thunderbird for internet stuff. I have 2 kids and their friends goes on and visit varity of websites and I have never got a worm, or got my pc taken over. Nothing hijacked my homepage for search page. Only thing that got around to my box was stupid ViewPoint thingy!

    And my box is on 24 7 and I don't even have admin password set on there! :) !!!

    PS. Only protection I have is WinPatrol to monitor my services/processes and startup entires.
  • Jorg, on 10/12/2007, -0/+0crap.. why did it eat my backslashes?
  • Bigbro69, on 10/12/2007, -0/+0Was going to digg, but it just crashed firefox, and partially crashed IE, no calc.exe launched at all....
  • inactive, on 10/12/2007, -0/+0Here you can test an exploit on IE: http://www.computerterrorism.com/research/ie/poc.htm

    --
    http://tvilda.stilius.net
  • 8ight, on 10/12/2007, -0/+0glad i have opera... ***** submitter tool.
  • inactive, on 10/12/2007, -1/+1jorg: Okay, so I can run deltree /y c: on my visitors' computers, but it's no biggie because I can't execute my own code, am I right?
  • ScratchMonkey, on 10/12/2007, -0/+0The problem isn't the model, but the way the developers use it. If you do all your development with an Administrator account, you never see how it breaks when run as a regular user. Games are particularly bad. The latest Battlefield 2 will almost run (and even stores per-user settings in their profiles), but the Punk Buster cheat protection system insists on Administrator access.
  • inactive, on 10/12/2007, -0/+0"whereas in Linux, you can 'sudo'. 90% of the things you need elevated privileges for anyway are from the CLI. gksu even lets you run a windowed program as root."

    which simply means the user has to know what he's doing.
  • nailz420, on 10/12/2007, -0/+0I use IE7 beta1. Tried the example exploit - it didnt do anything. Only the warning yellow bar came up, but calc.exe wasnt launched.
  • jdmce2002, on 10/12/2007, -0/+0I wonder if, running from administrator account in Windows, you get protection by starting up windows with shift+rightclick -> 'run as', and running IE under a lessor account? Anyone know?
  • CheapDigWannbe, on 10/12/2007, -0/+0right click + open IE tab = fun watching your cursor move
  • jackspack, on 10/12/2007, -1/+1burke - it is called "runas" in windows.
  • spectre_25gt, on 10/12/2007, -0/+0Hell, the average developer apparently doesn't understand it. There are a large amount of applications that don't run properly under a restriced user.
  • orabox, on 10/12/2007, -0/+0I tried it on an offline Windows box with IE 6.02 sp2 and it did not launch calc.exe
  • crazaalex, on 10/12/2007, -0/+0wait where is the site?

    I need the link.
  • mancat, on 10/12/2007, -0/+0"Yah the Windows equivalent of sudo is runas, but, does anyone know if XP was the first version to have this or have I just never noticed it in NT 4 & 5?"

    RunAs appeared in Win2k.
  • antiTRACE, on 10/12/2007, -1/+1This is why I don't use iTUNES nor do I use Quicktime! -Oh woops, wong day (that was yesterday those two had serious problems and were finally patched).
  • mancat, on 10/12/2007, -0/+0"Using a limited account doesn't make you magically safe. It just means that machine you can ghost over in 90 seconds with a perfectly good incarnation of all the tools you need is compromised should something happen."

    What are you talking about? Maybe if you explained it more clearly, I could understand you, but this is complete gibberish.
  • Googled, on 10/12/2007, -0/+0"Am I missing something?

    I copied the proof of concept code, saved it as ie_exploit.htm, and opened it in IE. IE gave me a warning bar, and I enabled the active content. Then... nothing. I clicked the WinXP link and then... nada."

    You don't save the whole code in one htm doc. Look carefuly at the code it is split up like so:
    ---------------------
    bug2k.htm
    HTML HERE

    so copy the seperate into a new htm doc
  • ToadPedestal, on 10/12/2007, -0/+0Woah. That's a lame excuse. Don't release the patch because the patch will get reverse engineered?

    Well, by that time the patch will already be distributed.

    On the other hand, if you don't release the patch until the exploit is wild, then you have a greater overlap of time where people are unpatched and the exploit is active.

    Besides that, this thing has been known since 2005-05-31. http://secunia.com/advisories/15546/

    Touch two when you don't _have_ the patch ready to launch when the exploit does go wild, then you weren't really holding back to prevent reverse engineering, were you?
  • karamba_kid, on 10/12/2007, -0/+0Yes everyone should "consider switching to Firefox of Opera".

    On my windows install I hardly ever log in as Admin, and I disabled all that active scripting and active x stuff in IE and I think I even disabled java in IE. (I use firefox of course) but these days I'm mostly always using Linux and OS X.
  • sw96, on 10/12/2007, -0/+0That's right, everyone who looked at the article "Zero Hour Xbox 360 Launch Construction Images" has been infected!!
  • shiftless, on 10/12/2007, -0/+0I have no idea how so many people manage to get their computers infected with viruses, Trojan horses, worms, etc. under Windows. I don't even run Norton and have never had a problem.

    Spyware was once a slight problem, but then Firefox came around and ended that pretty fast and most programs stopped installing it once people started getting wise to it.

    You only have to be a little cautious and not open every file out there.
  • Jorg, on 10/12/2007, -0/+0Shii: No. That is the point I was making. They said they can run a program, but they cannot pass it any parameters...

    This would be a problem:

    c:windowsdeltree.exe /y c:

    But as it stands, the bug only lets you do this:

    c:windowsdeltree.exe

    Which is NOT a problem.

    BTW deltree does not come with XP. It was replaced by "rd /s" but since it is currently not possible to pass parameters to the exe you can run, the "/s" or any other option is not possible. So for now it is benign.

    Jorgie
  • mancat, on 10/12/2007, -0/+0I just tried the proof of concept code. None of it seems to do anything at all using IE under XP as a limited user.
  • diggnationdevon, on 10/12/2007, -0/+0This is why we need Vista with the full version of IE.
  • oepapel, on 10/12/2007, -0/+0"Why is it so hard for the Windows idiots to run from a limited account?? Need root access? Just right click an executable, and go to "Run As." I run as a limited account, and I've never had a problem. "

    I put my wife on a Limited User account and I showed her the "Run As.." trick. The problem is that she is used to pulling up a calendar by clicking on the time in the taskbar. Windows tells her every time that she has insufficient privileges to modify the date and time. She doesn't want to modify it, shge just wants to look at it. So now she has a paper calendar next to the monitor. Thanks Microsoft. Only admins need to see a calendar. How about just disabling the "Apply" button?

    Launching programs using RunAs works fine. Once the program is running (like, say, the XP shell) there is no way to bump up your privileges to work around idiotic decisions like this one. Vista better fix the LUA experience.
  • karamba_kid, on 10/12/2007, -0/+0This exploit is also supposed to create a ddos in Mozilla Firefox. http://www.securityfocus.net/archive/1/417323/30/0/threaded
  • NekoFever, on 10/12/2007, -0/+0"Working as root on your unix box = bad idea
    Working as admin on your win box = bad idea

    One day that'll sink in and these exploits will be worthless."

    Key difference: when you're not logged into your root account on a UNIX box you can still do everything and it will simply ask for your root password if you need to do something above your accounts' user level. When you're not on a Windows admin account many programs (including high profile games) won't even run.
  • Tsuroerusu, on 10/12/2007, -0/+0"Working as root on your unix box = bad idea
    Working as admin on your win box = bad idea

    One day that'll sink in and these exploits will be worthless."

    EXACTLY!! That's why Linspire don't understand UNIX security!

    Boy I'm glad I run FreeBSD with a 16 character weird-ass root password and a normal user with an equally strong password ;)
  • mancat, on 10/12/2007, -0/+0"I put my wife on a Limited User account and I showed her the "Run As.." trick. The problem is that she is used to pulling up a calendar by clicking on the time in the taskbar. Windows tells her every time that she has insufficient privileges to modify the date and time."

    As an Administrator, run "gpedit.msc" Open Computer Configuration > Windows Settings > Local Policies > User Rights Assignment. Open the item "Change system time" and add your wife's user account, or the group Users. If you add the Users group, make sure to click on "Object Types" in the Add User/Group dialog, and check "Groups."

    Yes, I thought this was a dumb setting too when I first discovered it. At least let the user view the calendar.
  • boazg, on 10/12/2007, -0/+0it contains shellcode. as far as i can tell, given the correct shellcode it can do anything. this version only runs a program without parameterts. try different shellcode and see what happens.
  • Fetching more discussions...
    Show 51 - 80 of 80 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.