IE drag and drop flaw

[mungyun]

http://secunia.com/advisories/12321/

The scary thing is that, according to the article, something could be placed in your startup folder when you use the scrollbar. I can see where this is leading.

If anyone is curious, you can find a PoC here

yet another reason not to use IE.

[dynagnosis]

yep, thats some scary shizer... won't call it surprising though... i just wont be dragging and dropping on a website anytime soon.

Cool stuff, thanks for the post!

[xierox]

Geez, another security flaw. With all the ones they've been finding lately, how can Microsoft bear to show it's "face" in public???

[Tiger Shark]

Geez, another security flaw. With all the ones they've been finding lately, how can Microsoft bear to show it's "face" in public???

Er, simple.... because they have 90+% penetration in the market.....

Oh, and let's ask the _serious_ question..... Can user stupidity always be classified as a vulnerability? Xeriox, if I send you a .txt file and tell you to rename it to .exe then go to console and execute it, is that a vulnerability in the OS or the keyboard to seat interface?

I quoted it recently from BugTraq..... [not verbatim here]

If I send you and email telling you to flush your iPod down the toilet and you do it, is the iPod vulnerable to the toilet attack?????

[Edit]

I forgot.... I tried the PoC.... Nice, but WinPatrol caught it and removed it immediately..... funny that huh....

[/Edit]

[mungyun]

Can user stupidity always be classified as a vulnerability?

Sadly, thats a general misconception that many non aware people are thinking.

WinPatrol? is that like tripwire for linux?

Would WinPatrol catch the scrollbar trick? I know that there is a PoC out there for this, but I haven't found it yet.

[xierox]

Originally posted here by Tiger Shark
Er, simple.... because they have 90+% penetration in the market.....

Oh, and let's ask the _serious_ question..... Can user stupidity always be classified as a vulnerability? Xeriox, if I send you a .txt file and tell you to rename it to .exe then go to console and execute it, is that a vulnerability in the OS or the keyboard to seat interface?

Well, here's my reply. First off, the previous question was asked lightheartedly. Number two, was it user stupidity that enabled the spreading of the Sasser worm and Blaster worm? As I remember, it required no action upon the user's part... I'm not saying user stupidity isn't a big security hole. It is. Not that users are always just "stupid", they're just ignorant of what they're doing, most of the time.
What I'm basically trying to say is, IE interacts with Windows in a way no other browser does, making it far easier (to some extent) to install spyware, malware, ect. when the user is using IE than when they are using other browsers. What was MS thinking and why do they continue to do it???

Best regards,
Xierox

P.S. Xierox. *cough* And no, I'm not related to a copier.

[Tiger Shark]

X: (There, that solves the spelling issue.... , sorry).

But that's the point. There is a clear difference between ignorance and stupidity. Leaving an unpatched, unfirewalled computer swinging out there in the breeze on the public network is ignorance on the part of a home user but it is stupidity on the part of a qualified administrator.

That having been said, how many years has the mantra been "If you don't know who it's from or you don't know what it is then delete it"? 10 years now???? Don't tell me that even the most reclusive home user hasn't heard or read this at least ten times in their lives. Thus, _anything_ they do with files from untrusted sources really falls quite heavily into the stupidity category rather than the ignorance category.

What was MS thinking and why do they continue to do it???

M$ is working on the premise that in order for people to buy computers, and therefore M$' software, the software, which is, after all, the "computer" to the majority of users, has to be "easy". We both know that on the line of security that easy is at the extreme opposite end from security. But that's the business model they chose when there wasn't really much of an internet, (therefore minimal threat), and it's hard to turn a big ship going full steam ahead on a sixpence. Why do they continue to do it?... Well, they aren't, they are changing but we're back to the big ship issue... It doesn't turn that quickly.

Mungyun:

WinPatrol? is that like tripwire for linux?

It's a "poor mans" tripwire for Windows..... It's free and it is really rather effective - especially for your friends and family. It works on the basic principle of the "choke point". If a piece of malware is going to successfully, (and long term), infect your machine it must configure the machine to run it's code every time the box is restarted. There are only a few places that are commonly used for this.... Certain registry keys, the start folder, the homepage etc. so it checks these every three minutes by default, (user configurable), and alerts the user if anything changes. When it alerts, it gives the user the opportunity to say "No, I don't want this change to occur." If the user says no it reverses out the changes made. Of course the offending files are still on the computer but they remain "inert" since they are not normally going to be executed by a user because the malware will usually try to squirrel itself away where the user won't find it anyway.

I really like WinPatrol as a "quick and dirty" warning that "something just happened". Obviously it's far from infallible but it does keep a large proportion of the crap off your machine. Install it on friends and families machines and tell them that "unless you just installed something yourself the answer is _ALWAYS NO!!!!_". You'll be doing them a favor.

[Und3ertak3r]

user stupidity that enabled the spreading of the Sasser worm and Blaster worm?

most of the machines i repaired had better than 20 MS.. updates waiting to be installed..
both of these worms did not dent patched machines.. blaster was a how many weeks/months from release of patch to worm release.. now sasser was only 2 weeks or so..

some times I rather be repairiung a users virus/worm infected machine.. than repairing a users deleted/moved/renamed files infected machine.. and that is regardless of who wrote the OS..some dick always get to root.. and screws the system


cheers

[xierox]

Originally posted here by Tiger Shark
X: (There, that solves the spelling issue.... , sorry).

...

M$ is working on the premise that in order for people to buy computers, and therefore M$' software, the software, which is, after all, the "computer" to the majority of users, has to be "easy". We both know that on the line of security that easy is at the extreme opposite end from security.

First off, about the spelling. I really shouldn't even have mentioned it. It's just that most people get it wrong and I was feeling like correcting someone. :P

Secondly, I'm not saying with I disagree you here, but I've been told that to a complete computer newbie Macintoshes are easier to pick up on. (Not going from personal experience here, just what I've been told.) If this is true, what's keeping Microsoft from designing something similiar in the aspect that it is both easy to learn (which Windows is, I believe) and very secure (as Macintoshes are fabled to be). This is an honest question, not a flamish reply

Originally posted here by Und3ertak3r


most of the machines i repaired had better than 20 MS.. updates waiting to be installed..
both of these worms did not dent patched machines.. blaster was a how many weeks/months from release of patch to worm release.. now sasser was only 2 weeks or so..

Good point, I had not realized that. I stand corrected.

Regards,
Xierox

[Tiger Shark]

X:

Don't worry about the spelling thing.... I can be as dyslexic as the best of them sometimes...

As to developing something like a Mac.... That's what I just said.... It's a bloody big ship to turn around at this point. IIRC there 60 million lines of code go into Win2k/XP. All that doesn't get written in a matter of weeks. M$ has got a lot right, security wasn't one of them, never was. But they are now addressing that as best they can.... The boat is turning..... albeit more slowly than many would like.