Author Topic: Security experts confirm IE as hopelessly bug ridden and insecure  (Read 2948 times)

lazygamer

  • Member
  • **
  • Posts: 1,146
  • Kudos: 0
Ok I'll quote this time.

Internet Explorer insecure

 
quote:
Nine closely-related Internet Explorer flaws leave users open to a variety of powerful attacks, security researchers at Israeli firm GreyMagic Software warned yesterday.

The vulnerabilities revolve around object caching and a combination could enable an attacker to steal private local documents, steal cookies from any site, forge trusted web sites, steal clipboard information or even execute arbitrary programs, GreyMagic reveals .

The issue affects users running IE 5.5 and IE 6. Computers running IE 6 SP1 are vulnerable to a lesser extent, but are still at risk to two of the nine vulnerabilities. Users of AOL Browser, MSN Explorer are also affected. Only those using IE 5.0 SP2 have a
measure of protection from the exploits.

GreyMagic advises users to disable Active Scripting as a workaround pending the release of security fixes from Microsoft. It has published a demonstration showing how an attacker could read a victim's Google cookie using one of the cached objects vulnerabilities it has unearthed.

Microsoft is reportedly angry at GreyMagic's advisory. It says the warning could leave users at greater risk or, at minimum, cause needless concern. This argument is a continuation of Microsoft's row with security researchers over the full disclosure of security vulnerabilities.

GreyMagic published its advisory yesterday, but it reports on its site how it has refined its findings since first noticing a problem at the start of this month. Microsoft hasn't acted to date, and given its tardiness in responding to its concerns in the past, GreyMagic decided to go ahead regardless and alert the wider community of the problems it had unearthed.

All nine vulnerabilities are of the same general class (object caching). However, each of them is a separate vulnerability, which uses a unique method for exploitation, which GreyMagic documents here.

When communicating between windows, security checks ensure that both pages are in the same security zone and on the same domain. The vulnerabilities GreyMagic publicises arise because the security settings in IE wrongly assume that certain methods and objects are only going to be called through their respective window. These assumption enables some cached methods and objects to provide interoperability between otherwise separated documents, creating a mechanism for a variety of exploits.
For every hot Lesbian you see in a porno video, there is a fat, butch-like, or just downright ugly lesbian beeyotch marching in a gay pride parade, or bitching about same sex marriages. -Lazygamer on homosexuality

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #1 on: 24 October 2002, 11:38 »
I find it humourous that they notified MS of the flaws weeks ago and yet MS makes no patches available and doesnt notify its users they are in danger. Oh well, if any IE users are truly worried about this situation, here is my advice.

http://www.mozilla.org
Kansas City Hustle
http://kansascity.cjb.net

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #2 on: 24 October 2002, 11:58 »
When the hell are they going to get rid of Active Scripting altogether?? It's only purpose is to perpetuate viruses and exploits. Wait, oh yeah, viruses and exploits mean future upgrade sales and royalties from the AV vendors.
Someone please remove this account. Thanks...

lazygamer

  • Member
  • **
  • Posts: 1,146
  • Kudos: 0
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #3 on: 24 October 2002, 12:09 »
Speaking of browsers VS browsers...

Three sites I've experienced a fucked up phenomonon with Mozilla. When posting messages, there is a | character instead of a blank space. So it would read:

Sites are www.hero6.com www.sflah.com www.newcomer.hu

Is it the webmaster's fault though? Doesn't cause problems in IE. Notice at hero6.com how the first page is garbled up?

These are the annoyances I talk about...
For every hot Lesbian you see in a porno video, there is a fat, butch-like, or just downright ugly lesbian beeyotch marching in a gay pride parade, or bitching about same sex marriages. -Lazygamer on homosexuality

emh

  • Member
  • **
  • Posts: 254
  • Kudos: 0
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #4 on: 25 October 2002, 03:04 »
All three pages seemed to load just fine for me in Opera, other than a Java applet not loading on the third page.

jtpenrod

  • VIP
  • Member
  • ***
  • Posts: 675
  • Kudos: 105
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #5 on: 25 October 2002, 04:27 »
quote:
Three sites I've experienced a fucked up phenomonon with Mozilla. When posting messages, there is a | character instead of a blank space.

I tried all three with Mozilla Build 2001092020 in Mandrake 8.1 and they all worked just fine.
_______________________________________
Live Free or Die: Linux

If software can be free, why can't dolphins?
Live Free or Die: Linux
If software can be free, why can't dolphins?

lazygamer

  • Member
  • **
  • Posts: 1,146
  • Kudos: 0
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #6 on: 25 October 2002, 04:40 »
I have 1.2b. Oh alright, I'll try a beta.
For every hot Lesbian you see in a porno video, there is a fat, butch-like, or just downright ugly lesbian beeyotch marching in a gay pride parade, or bitching about same sex marriages. -Lazygamer on homosexuality

lazygamer

  • Member
  • **
  • Posts: 1,146
  • Kudos: 0
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #7 on: 25 October 2002, 22:00 »
Hmmm Hero6 site(the part where you select the interface for the mainpage) still loads incorrectly. How do I set up Mozilla to identify as IE? That might solve some problems. However, will some anti-IE sites be able to tell im actually Mozilla though? What about sites with special "Mozilla only" features?
For every hot Lesbian you see in a porno video, there is a fat, butch-like, or just downright ugly lesbian beeyotch marching in a gay pride parade, or bitching about same sex marriages. -Lazygamer on homosexuality

Zombie9920

  • Member
  • **
  • Posts: 1,309
  • Kudos: 33
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #8 on: 25 October 2002, 22:31 »
You know Lazy-g, I get rendering errors in Mozilla all the time. That, the fact that it doesn't work with any of my Logitech Internet Navigator keyboard's hotkeys(like the browser back/forward, homepage, favorites, search, etc. buttons), my mouses' back/forward buttons(MS Intellimouse Optical) and it can't even display some pages is the reason why I will not ditch IE for Mozilla.

Open Source software is and always will be too buggy for my likings. Using open source software is like beta testing...only Open Source software never will reach gold status(no matter what the software is).

Proof that Lazy-g isn't lying about rendering errors on the above listed pages.

IE(works flawlessly)
http://www.ticz.com/homes/users/waltw/IEerrorless.jpg

Mozilla (rendering errors)
http://www.ticz.com/homes/users/waltw/Mozillaerror.jpg

IE (works flawlessly)
http://www.ticz.com/homes/users/waltw/IEerrorless2.jpg

Mozilla (errors...misaligned text..the yellow letters)
http://www.ticz.com/homes/users/waltw/mozillaerror2.jpg

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #9 on: 25 October 2002, 22:46 »
Could you post the links that you say render incorrectly? I have the site blocked at my proxy server that you are have your images on. Then I could determine why the sites you are having problems with are having problems.

[ October 25, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Zombie9920

  • Member
  • **
  • Posts: 1,309
  • Kudos: 33
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #10 on: 25 October 2002, 22:50 »
quote:
Originally posted by void main:
You you post the links that you say render incorrectly? I have the site blocked at my proxy server that you are have your images on. Then I could determine why the sites you are having problems with are having problems.


Heh, thats your problem. I'm not going to move the images to another server just for you to see them.  ;)

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #11 on: 25 October 2002, 22:52 »
quote:
Originally posted by Zombie9920:


Heh, thats your problem. I'm not going to move the images to another server just for you to see them.   ;)  




I didn't say move the images. I said, post the links to the pages that you used to make the captured images.
Someone please remove this account. Thanks...

xyle_one

  • VIP
  • Member
  • ***
  • Posts: 2,213
  • Kudos: 135
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #12 on: 25 October 2002, 22:56 »
shitty. could it be the designers fault? i have never had any problems with mozilla (until i visited those sites of course). i would hate to see that it is mozilla, though i still doubt it is the browsers fault.

 
quote:
from sflah.com page source
function MM_reloadPage(init) {  //reloads the window if Nav4 resized
  if (init==true) with (navigator) {if ((appName=="Netscape")&&(parseInt(appVersion)==4)) {
    document.MM_pgW=innerWidth; document.MM_pgH=innerHeight; onresize=MM_reloadPage; }}
  else if (innerWidth!=document.MM_pgW || innerHeight!=document.MM_pgH) location.reload();

what does that mean?? bear with me, i am still learning html...

Zombie9920

  • Member
  • **
  • Posts: 1,309
  • Kudos: 33
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #13 on: 25 October 2002, 23:06 »
quote:
Originally posted by void main:



I didn't say move the images. I said, post the links to the pages that you used to make the captured images.



Lazy-g already posted the links. The 2 I went to for reference(in my images) were www.hero6.com www.sflah.com .

At hero6 Mozilla only renders half of each image box at the bottom of the page, at sflash Mozilla has text mis-alignment problems.

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Security experts confirm IE as hopelessly bug ridden and insecure
« Reply #14 on: 25 October 2002, 23:06 »
quote:
Originally posted by xyle_one:
shitty. could it be the designers fault? i have never had any problems with mozilla (until i visited those sites of course). i would hate to see that it is mozilla, though i still doubt it is the browsers fault.

 
what does that mean?? bear with me, i am still learning html...



What you have quoted is not HTML, it's JavaScript. And the section you quoted plainly shows it checks browser version and executes the code in different ways based on what browser you are using. In 99.9% of the cases if a site does not display correctly in a particular browser, it's because the webmaster did not code/test his site on said browser. It *is* a problem for you as a user, But it is entirely fault of the site developer and bad coding, not the fault of the browser.
Someone please remove this account. Thanks...