Page 1 of 2 12 LastLast
Results 1 to 16 of 23

Thread: 'Extremely cricital' vulnerability troubles Internet Explorer

  1. #1
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,277
    Thanks
    292
    Thanked
    837 times in 473 posts

    'Extremely cricital' vulnerability troubles Internet Explorer

    A Secunia advisory was posted last week about a vulnerability in IE's handling of the 'window();' function in the 'body onload' event. There are now reports that a Trojan is circulating which exploits this vulnerability. Currently, fully patched systems are still at risk.
    The vulnerability puts computers running Windows 98, Windows Millennium Edition, Windows 2000 and Windows XP at risk. An attacker could gain complete control of vulnerable systems by hosting malicious code on a Web site. Once an IE user visits the site, the malicious program would run without any user interaction.
    [ZDNet]
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  2. #2
    Senior Member
    Join Date
    Aug 2004
    Location
    W Yorkshire
    Posts
    5,691
    Thanks
    85
    Thanked
    15 times in 13 posts
    • XA04's system
      • Motherboard:
      • MSI X570-A Pro
      • CPU:
      • AMD Ryzen 5 3600
      • Memory:
      • Corsair 2x 8gb DDR 4 3200
      • Storage:
      • 1TB Serpent M.2 SSD & 4TB HDD
      • Graphics card(s):
      • Palit RTX 2060
      • PSU:
      • Antec Truepower 650W
      • Case:
      • Fractcal Meshify C
      • Operating System:
      • Windows 10
      • Monitor(s):
      • iiyama 34" Curved UWQHD
      • Internet:
      • Virgin 100mb Fibre
    God, not another vulnerability..

    Only me and a few other people at my school know how to download things without it been blocked = us using Firefox, but still. Isn't like 90% of the people on the net still using IE?.

  3. #3
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    vulnerabilities? LIES!

    THERE ARE NO VULNS IN MICROSOFT SOFTWARE LALALALALALALALALA

    is it worth pointing out this hole has been known about (by MS) for about 6 months, it's only recently that someone pointed out it was retty serious rather than a minor issue

  4. #4
    mutantbass head Lee H's Avatar
    Join Date
    Dec 2003
    Location
    M28, Manchester
    Posts
    14,204
    Thanks
    337
    Thanked
    671 times in 580 posts
    • Lee H's system
      • Motherboard:
      • MSI Z370 Carbon Gaming
      • CPU:
      • Intel i7 8700K Unlocked CPU
      • Memory:
      • 16 GB Corsair Vengeance 3200 LPX
      • Storage:
      • 250GB 960 EVO + a few more drives
      • Graphics card(s):
      • 6GB Palit GTX 1060 Dual
      • PSU:
      • Antec Truepower 750W Modular Blue
      • Case:
      • Corsair 600T White Edition
      • Operating System:
      • Windows 10 PRO
      • Monitor(s):
      • 27" Asus MX279H & 24" Acer 3D GD245HQ + the 3D glasses
      • Internet:
      • Virgin Media
    Quote Originally Posted by XA04
    .. using Firefox, but still. Isn't like 90% of the people on the net still using IE?.


    Oh how I love how people think the answer to all is firefox Sorry to play devils advocate here but this too has had some security issues in the past yet all the FF users stick their head in the sand and deny all knowledge. Yes its a pretty good browser - I use both IE and FF on the majority of my systems I use at work and own at home, but its not the holy grail

    There is always going to be holes in software where errors in the coding occur or even sloppy coding is used, but they then find the fault when stuff like this happens, fix the issue and then the cycle is repeated for another section of the coding.

    Don't forget programmers are human too and mistakes happen, especially if they've been working for say 19 hours straight trying to get the product finished for the launch date.

    As such this tit for tat , this hole, that hole etc is just going to keep going on and on and on and on until the coders are 100% perfecting in coding and/or all the security holes are fixed.

  5. #5
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    Quote Originally Posted by Lee @ SCAN


    Oh how I love how people think the answer to all is firefox Sorry to play devils advocate here but this too has had some security issues in the past yet all the FF users stick their head in the sand and deny all knowledge. Yes its a pretty good browser - I use both IE and FF on the majority of my systems I use at work and own at home, but its not the holy grail

    There is always going to be holes in software where errors in the coding occur or even sloppy coding is used, but they then find the fault when stuff like this happens, fix the issue and then the cycle is repeated for another section of the coding.

    Don't forget programmers are human too and mistakes happen, especially if they've been working for say 19 hours straight trying to get the product finished for the launch date.

    As such this tit for tat , this hole, that hole etc is just going to keep going on and on and on and on until the coders are 100% perfecting in coding and/or all the security holes are fixed.
    firefox holes get fixed. the window(); thing in msie is literally months old

  6. #6
    Splash
    Guest
    Have to say I'll side with Directhex here - Microsoft's policy of late seems to be getting better (ie they will admit when a vuln is found, which is better than the previous "No, there are no infidels, never!" approach) but they still need to work on it. Let's face it - it's unreasonable to expect any software to e 100% bug and vuln free, it's how those issues are dealt with that counts in my eyes.

  7. #7
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    The problem is the flaw shouldn't be disclosed to the public, there is absolutely no need, until a patch has been put in place. That said MS are really dragging their feat on this one.

    I sound like a broken record, but run your browser as a different user that has priveledges only to save to one folder. Easyest way to be safe.
    throw new ArgumentException (String, String, Exception)

  8. #8
    Raging Bull DeludedGuy's Avatar
    Join Date
    Dec 2003
    Location
    London
    Posts
    2,594
    Thanks
    112
    Thanked
    76 times in 55 posts
    • DeludedGuy's system
      • Motherboard:
      • Gigabyte H87M-HD3
      • CPU:
      • Core i5 4440
      • Memory:
      • 8GB DDR3 1800mhz
      • Storage:
      • 250GB Samsung 840 SSD
      • Graphics card(s):
      • Gigabyte R9 270 OC 2GB
      • PSU:
      • BeQuiet Pure Power L8 600w
      • Case:
      • Silverstone TJ08-E
      • Operating System:
      • Windows 7
      • Monitor(s):
      • 24" Dell U2414H
      • Internet:
      • 75Mb BT Infinity
    Opera BABYYY!!!!

    Having used firefox for 4 months, I was convinced it was the best browser out there.....until I came across Opera.

    Opera beats any browser hands down.

  9. #9
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    Quote Originally Posted by TheAnimus
    The problem is the flaw shouldn't be disclosed to the public, there is absolutely no need, until a patch has been put in place
    remember the sony rootkit fiasco? f-secure had found all the holes and warned sony, about a month before the sysinternals post. had sony even *started* acting by then? had they bollocks.

    full disclosure is the *only* way to ensure people have any knowledge of the potential threats to their systems, and the only way to force vendors to act rather than sweep under the carpet

  10. #10
    mutantbass head Lee H's Avatar
    Join Date
    Dec 2003
    Location
    M28, Manchester
    Posts
    14,204
    Thanks
    337
    Thanked
    671 times in 580 posts
    • Lee H's system
      • Motherboard:
      • MSI Z370 Carbon Gaming
      • CPU:
      • Intel i7 8700K Unlocked CPU
      • Memory:
      • 16 GB Corsair Vengeance 3200 LPX
      • Storage:
      • 250GB 960 EVO + a few more drives
      • Graphics card(s):
      • 6GB Palit GTX 1060 Dual
      • PSU:
      • Antec Truepower 750W Modular Blue
      • Case:
      • Corsair 600T White Edition
      • Operating System:
      • Windows 10 PRO
      • Monitor(s):
      • 27" Asus MX279H & 24" Acer 3D GD245HQ + the 3D glasses
      • Internet:
      • Virgin Media
    Quote Originally Posted by directhex
    firefox holes get fixed. the window(); thing in msie is literally months old
    Cut them some slack fellas ... they're probably testing and looking at the reasons why the xbox360 PSU is overheating and crashing the systems

  11. #11
    Senior Member
    Join Date
    Jul 2003
    Location
    ZA ✈ UK
    Posts
    622
    Thanks
    0
    Thanked
    0 times in 0 posts
    Quote Originally Posted by Splash
    Let's face it - it's unreasonable to expect any software to e 100% bug and vuln free, it's how those issues are dealt with that counts in my eyes.
    Which is not to say that it's impossible to create a program without bugs; it can be done. One well-known example is qmail. http://cr.yp.to/qmail/guarantee.html

  12. #12
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    Quote Originally Posted by directhex
    remember the sony rootkit fiasco? f-secure had found all the holes and warned sony, about a month before the sysinternals post. had sony even *started* acting by then? had they bollocks.

    full disclosure is the *only* way to ensure people have any knowledge of the potential threats to their systems, and the only way to force vendors to act rather than sweep under the carpet
    No, its not.

    Some companies need a little push, most do not. I bet sony wouldn't do that again?

    MS know about the problems they can inflict on the net you could argue they supply more botnets than anyone else! But they also have people still moaning about SP2 problems with XP. I mean if you can't turn on DCOM, then hang your head in shame, there are too many incompitant admins, who have "if it ain't broke don't fix it" not realising something is broken, as such they can't release buggy patches that break things (see dpkg ).

    Releasing this wouldn't help anyone, MS aren't going to be speeding up development more drastically than the trogen writers. You think virus research labs don't notice nasties that spread using undiscovered bugs? Most virus companies have labs that follow the sun to provide teams of really skilled guys 24/7. They'd notice if someone took advantage.

    I'm trying to think of an example where a nasty was out before a bug was "disclosed". Sure one target might get hit, but now thousands will. Full disclosure just isn't the awnser. Might be needed to get the ball rolling but thats it.
    throw new ArgumentException (String, String, Exception)

  13. #13
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    Quote Originally Posted by TheAnimus
    I bet sony wouldn't do that again?
    i was young and naiive once too

    (see dpkg ).
    eh?

    Releasing this wouldn't help anyone, MS aren't going to be speeding up development more drastically than the trogen writers. You think virus research labs don't notice nasties that spread using undiscovered bugs? Most virus companies have labs that follow the sun to provide teams of really skilled guys 24/7. They'd notice if someone took advantage.

    I'm trying to think of an example where a nasty was out before a bug was "disclosed". Sure one target might get hit, but now thousands will. Full disclosure just isn't the awnser. Might be needed to get the ball rolling but thats it.
    so you'd really feel more secure if every single vulnerability was kept secret from you, the humble admin, until (or if, in this case) the vendor had bothered to release a patch?

  14. #14
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,164
    Thanks
    803
    Thanked
    2,152 times in 1,408 posts
    I'd feal more secure if nasty's wern't out in the wild before patches. Hence why keeping it secret is better. Release it if need be (the company are ignoring you/not taking it seriously). But not when they are.

    dpkg has coursed me more a horrible experiance, over the years as updates course things to stop working. This is the problem with updates been sent out before extensive testing has been performed.
    throw new ArgumentException (String, String, Exception)

  15. #15
    Comfortably Numb directhex's Avatar
    Join Date
    Jul 2003
    Location
    /dev/urandom
    Posts
    17,074
    Thanks
    228
    Thanked
    1,027 times in 678 posts
    • directhex's system
      • Motherboard:
      • Asus ROG Strix B550-I Gaming
      • CPU:
      • Ryzen 5900x
      • Memory:
      • 64GB G.Skill Trident Z RGB
      • Storage:
      • 2TB Seagate Firecuda 520
      • Graphics card(s):
      • EVGA GeForce RTX 3080 XC3 Ultra
      • PSU:
      • EVGA SuperNOVA 850W G3
      • Case:
      • NZXT H210i
      • Operating System:
      • Ubuntu 20.04, Windows 10
      • Monitor(s):
      • LG 34GN850
      • Internet:
      • FIOS
    Quote Originally Posted by TheAnimus
    dpkg has coursed me more a horrible experiance, over the years as updates course things to stop working. This is the problem with updates been sent out before extensive testing has been performed.
    pinning only to stable & stable/updates ?

  16. #16
    Splash
    Guest
    Quote Originally Posted by eldren
    Which is not to say that it's impossible to create a program without bugs; it can be done. One well-known example is qmail. http://cr.yp.to/qmail/guarantee.html
    qmail is wonderful!

    Of course it's not saying it's impossible - it's just unreasonable to expect any and all software to be perfect.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. New Internet Explorer 7 Logo
    By Xaneden in forum General Discussion
    Replies: 25
    Last Post: 16-08-2005, 03:43 PM
  2. Replies: 2
    Last Post: 09-07-2005, 03:20 PM
  3. Internet Explorer download
    By Dooms in forum Software
    Replies: 4
    Last Post: 17-06-2005, 11:29 AM
  4. Internet Explorer 7 Release Date!
    By Xaneden in forum General Discussion
    Replies: 101
    Last Post: 22-03-2005, 04:30 PM
  5. Internet Explorer just CLOSES....
    By Zak33 in forum Software
    Replies: 11
    Last Post: 23-06-2004, 06:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •