Author Topic: IE RULEZ  (Read 1723 times)

Kintaro

  • Member
  • **
  • Posts: 6,545
  • Kudos: 255
  • I want to get the band back together!
    • JohnTate.org
IE RULEZ
« on: 8 September 2002, 14:04 »
Yes you where thinking someone was unsing X11's name well X11 was... read on why IE Rules:
 
quote:
http://online.securityfocus.com/news/606
Bug Triad Whacks Microsoft Browser

Researchers discover that three "low risk" bugs can combine to send a Windows system up in flames.
By Brian McWilliams, Sep 4 2002 9:25AM
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.

By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.

The security group, Malware.com, has created a harmless demonstration of the flaw which downloads and runs an executable program that fills the victim's computer screen with flames.

A Malware.com member who uses the nickname "Http-equiv" says he named the vulnerability "Stench" to dramatize why it's dangerous for Microsoft to downplay and delay patching security bugs that it considers minor.

"Their patching tiny pinprick holes and not the overall problems, their mitigating factors, their ignoring small demonstrated flaws, all add up into a monster problem, which basically stinks," said Http-equiv in an e-mail interview Tuesday.

Internet Explorer currently contains at least 18 security bugs, many of them low-risk annoyances. Because it allows an attacker to run code on a victim's machine, Stench is the most serious security issue currently facing IE, according to Thor Larholm, a researcher with Pivx Solutions who tracks IE vulnerabilities.

Larholm said the information provided in the Malware.com advisory could easily be used to create a harmful exploit.

"Follow the steps and you're done. I could let my 12-year-old cousin do this," said Larholm, who added that because all three bugs have been known to Microsoft for many months, Malware.com's release of the information was "by the book" and does not constitute what Microsoft calls "irresponsible disclosure."

A Microsoft representative said the company was currently studying the report and would take appropriate action.

Company Patchwork Faulted
According to Http-equiv, the exploit depends in part on a known quirk in how Microsoft's media player handles self-extracting Windows Media Download (WMD) files.

"If we can place our 'goodies' inside the .wmd file and have the player unpack it, we now have arbitrary code on the target computer," said Http-equiv.


Click Here for Enterprise Solutions!

Using a year-old IE bug known as the "codebase local path" vulnerability -- a bug that was only partially fixed by Microsoft last March -- the Stench exploit is able to unpack and execute the malicious code without triggering IE's security settings, he said.

According to Larholm, a major update to Internet Explorer known as IE6 Service Pack One could include fixes for numerous bugs, including those exploited by Stench. Microsoft quietly released SP1 to its download servers in late August but removed the upgrade shortly afterwards without explanation.

On August 22, Microsoft issued a cumulative patch for IE that addressed several severe bugs did not include complete fixes for the codebase localpath and numerous other vulnerabilities, Larholm said.

Malware.com's Stench advisory, posted to security mailing lists on August 21, concluded with the following statement: "Instead of sitting around trying to thinking up ways that all these things cannot work, simply fix it the first time round. There is no such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure fantasy. Fiction. Fix it when you can! For every way you think it cannot be done, there are 10 ways it actually can!"
Thats Microsoft for you!

Refalm

  • Administrator
  • Member
  • ***
  • Posts: 5,183
  • Kudos: 704
  • Sjembek!
    • RADIOKNOP
IE RULEZ
« Reply #1 on: 8 September 2002, 17:25 »
:eek:  HTML Source code wanna have!!!  :eek:

We could let all the mindless Microsoft drones attack WeHaveTheWayOut.com, without Unisys (Imagine it. Assimilated.) knowing who done it, and sue the drones instead  

rtgwbmsr

  • VIP
  • Member
  • ***
  • Posts: 1,257
  • Kudos: 0
    • http://www.akgames.net
IE RULEZ
« Reply #2 on: 9 September 2002, 00:25 »
Damnit...I wanted wehavethewayin.com so I could make a site that rebuts all of M$'s arguments...not like M$ made any real arguments on their site. But it

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
IE RULEZ
« Reply #3 on: 9 September 2002, 02:00 »
Someone please remove this account. Thanks...

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
IE RULEZ
« Reply #4 on: 9 September 2002, 02:46 »
Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

Kintaro

  • Member
  • **
  • Posts: 6,545
  • Kudos: 255
  • I want to get the band back together!
    • JohnTate.org
IE RULEZ
« Reply #5 on: 9 September 2002, 16:03 »
ALways rely on reflex

ravensoft

  • Newbie
  • *
  • Posts: 3
  • Kudos: 0
IE RULEZ
« Reply #6 on: 10 September 2002, 01:43 »
Microsoft's Internet Explorer is a fucking crappy piece of shit which is only that popular because of Microsoft putting such an effort in promoting and bundeling it into its OS.
IE is very buggy and full of security lacks. I personally recomend Netscape or Mozilla, but please(!), don't use this filthy Microsoft browser anymore neither their mail client! :)

http://www.netscape.com/
http://www.mozilla.org/

choasforages

  • VIP
  • Member
  • ***
  • Posts: 1,729
  • Kudos: 7
    • http://it died
IE RULEZ
« Reply #7 on: 10 September 2002, 02:04 »
exactly, read content before you post a flame, we were actally in the processe of dissing exploring, and that we like the securtiy holes in it, cuase we are not effected by them/*and you forgot konqueror
x86: a hack on a hack of a hackway
alpha, hewlett packed it A-way
ppc: the fruity way
mips: the graphical way
sparc: the sunny way
4:20.....forget the DMCA for a while!!!

choasforages

  • VIP
  • Member
  • ***
  • Posts: 1,729
  • Kudos: 7
    • http://it died
IE RULEZ
« Reply #8 on: 10 September 2002, 02:04 »
and welcome to the boards
x86: a hack on a hack of a hackway
alpha, hewlett packed it A-way
ppc: the fruity way
mips: the graphical way
sparc: the sunny way
4:20.....forget the DMCA for a while!!!

LoLoL

  • Newbie
  • *
  • Posts: 17
  • Kudos: 0
IE RULEZ
« Reply #9 on: 14 September 2002, 08:20 »
quote:
Originally posted by ravensoft:
Microsoft's Internet Explorer is a fucking crappy piece of shit which is only that popular because of Microsoft putting such an effort in promoting and bundeling it into its OS.
IE is very buggy and full of security lacks. I personally recomend Netscape or Mozilla, but please(!), don't use this filthy Microsoft browser anymore neither their mail client! :)

http://www.netscape.com/
http://www.mozilla.org/




Raven IE 5.5 has been alot more stable than the new (prolly old) NetScape 6.2 for me... Would you like a penguin fritter?
Killing penguins while they exist...