CERT recommends anything but IE (Internet Explorer)

The Register ^ | June 28, 2004 | John Oates

[D-fendr]

US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest security vulnerability in the software was exposed.

A statement on the CERT site said: "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites." CERT otherwise recommends users to set security settings to high and disable JavaScript

Malicious code, dubbed variously as "Scob" or "Download.Ject", originally posted last week on a Russian website, could be downloaded secretly onto websites using Microsoft's Internet Information Server 5.0. The code could then be used to log keystrokes made by visitors to the site - so long as they used Internet Explorer as their browser. Information, including passwords, was then to be emailed to the criminals behind the atack.

Microsoft said (http://www.microsoft.com/presspass/press/2004/jun04/0625download-jectstatement.asp) that it was unaware of widespread consumer impact and noted that the Russian site had been taken offline. It said some enterprise users of Windows 2000 Server, specifically users running IIS 5.0, were being targeted by "Download.Ject". According to MS, this is not a trojan or worm but "a targeted manual attack by individuals or entities towards a specific server". It said users should use a firewall, ensure they have the latest software updates and use anti-virus software.

Bill Gates, Microsoft chairman, called on users to switch on auto-update so that patches would spread faster. Speaking to Reuters in Australia at the weekend, he vowed to "guarantee that the average time to fix will come down. The thing we have to do is not only get these patches done very quickly...we also have to convince people to turn on auto-update."

[Bush2000]

What totally misleading FUD. CERT did NOT recommend ditching IE. What they said was: "It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites." CERT went on to recommend setting security settings to high and disabling JavaScript for untrusted sites. Anyone with even half a brain cell can tell the difference. Keep trying, though. You amuse me.

[Jalapeno]

might be of interest

[D-fendr]

I think you're both spinning.

Fact is first the Russian Mob, and now some Eustonian outfit is stealing bank accounts using a method that only works on users of Windows Internet Explorer.

You do the math.

[sharktrager]

And if Mozilla were the browser used by the majority of Americans, hackers would be exposing holes in it. Why would they waste time and money on browsers that don't have near as many potential targets?

No browser will ever be foolproof. I do not believe we can assume the other browsers will be safer if we all switch. I wouldn't assume any system to be foolproof if it has enough users to make attacking it worthwhile.

[D-fendr]

And if Mozilla were the browser used by the majority of Americans, hackers would be exposing holes in it.

First point: The vulnerability is a combination exploit of Windows and IE (and IIS).

Second point: You gonna tell grandma to not go to a safer neighborhood today 'cause if everybody did that the muggers would follow tomorrow?

[sharktrager]

Nope...but what you have actually told her to move. You told her to change the locks and assume that will change things.

The Internet has risks. Having data on a computer connected to the Internet has risks. And if everyone quit using IE those risks wouldn't go away.

[D-fendr]

No, I told her to take a different route to the bank, until it's safer. Why wouldn't you? Cause there's still other risks?

The Internet has risks.

And part of my job is protecting folks from those risks. That's why we have virus scanning, firewalls, etc. And why it's prudent to recommend using another browser now if you can.

I don't think you're saying since the internet has risks, don't use virus protection, 'cause if everybody did the virus writers would write viruses that can disable them (they do).

[JoJo Gunn]

Related thread:

http://www.freerepublic.com/focus/f-news/1163102/posts

[Bush2000]

I think you're both spinning. Fact is first the Russian Mob, and now some Eustonian outfit is stealing bank accounts using a method that only works on users of Windows Internet Explorer. You do the math.

Fine. So please explain to me how the Russian mob is going to exploit my box. Answer: You're spewing BS. the Russian mob has no way of forcing me (or 99.999% of people) to run their script/code. So, thanks for the useless FUD.

[TechJunkYard]

Dude, you know as well as I do that idiots are lured to dishonest web sites all of the time. They get an e-mail supposedly from their bank with a URL, they go to the URL, they type in their credit card number, etc...

If it wasn't a problem, there wouldn't be a CERT warning about it.

[Bush2000]

Dude, you know as well as I do that idiots are lured to dishonest web sites all of the time. They get an e-mail supposedly from their bank with a URL, they go to the URL, they type in their credit card number, etc... If it wasn't a problem, there wouldn't be a CERT warning about it

Okay, so how many "idiots"? 1? 2? 10? How is this a problem for the "vast majority of users?"

[TechJunkYard]

.. if everyone quit using IE those risks wouldn't go away.

You have an exploit against IE that doesn't affect other browsers. If you don't use IE, your risk of being hit by that exploit is reduced.

Understand now?

[TechJunkYard]

How is this a problem for the "vast majority of users?"

Where did you get that phrase? It's not in the article.

Do you seriously think that that Russian web site was the only one in the world using that exploit?

[D-fendr]

Are you really unaware of the Friday/Saturday event? It was a combination of IIS, Windows & Explorer exploits.

There's conflicting info on whether patched IIS boxes can be exploited; the method used is unknown at this time.

Here's Symantec on the Explorer part:

Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability

http://www.securityfocus.com/bid/10473 Microsoft Internet Explorer is prone to a vulnerability that may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone. It is possible to exploit this issue by passing a dynamically created IFrame to a modal dialog. Specifically, a malicious Web page may pass a window object that refers to a dynamically created IFrame as an argument to the showModalDialog method.

This vulnerability could be exploited in combination with a number of other security issues, such as the weakness described in BID 10472.

The end result of successful exploitation is execution of arbitrary code in the context of the client user. It may also be possible to exploit this vulnerability to access properties of a foreign domain, allowing for other types of attacks that compromise sensitive or private information associated with a domain of the attacker's choosing.

[D-fendr]

lured to dishonest web sites

In this one the bad guys are compromising honest websites running on IIS.

The bug appears to be unrelated to an Internet attack on Friday in which users could pick up malicious, keystroke-logging software merely by visiting infected Web sites. That attack also targeted users of financial services sites.

"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote Tom Liston, a computer security expert who analyzed the latest exploit in a report released yesterday by the Internet Storm Center.

Where banks and online commerce sites use encrypted connections between a user's computer and the company's computer, this new strain of software records a user's keystrokes from outside the encrypted connection on a user's computer. In other words, users who make sure to look for the padlock on the bottom-right corner of Internet Explorer when they make transactions could still be vulnerable to theft if their computer is infected with this program.

[D-fendr]

CERT sum up the Explorer part this way:

Microsoft Internet Explorer does not properly validate source of redirected frame

Overview:
Microsoft Internet Explorer (IE) does not adequately validate the security context of a frame that has been redirected by a web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

[Bush2000]

Where did you get that phrase? It's not in the article. Do you seriously think that that Russian web site was the only one in the world using that exploit?

Fine. How many servers? 1? 5? 10? So far, all you've provided is hyperbole.

[Bush2000]

Are you really unaware of the Friday/Saturday event? It was a combination of IIS, Windows & Explorer exploits. There's conflicting info on whether patched IIS boxes can be exploited; the method used is unknown at this time.

Again, as I asked TJY, how many servers does this affect?

[TechJunkYard]

Aha. I was out-of-pocket until yesterday, visiting relatives with no Internet access, so this is the first I've heard of that.

I do know that MS has had several problems in the past with cross-zone exploits in IE.

Such a robust design! /sarcasm