Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: New IE exploit for unpatched vuln

  1. #11
    Originally posted here by nihil
    I take the view that if you are going to sell a product to idiots, you should at least have the decency to include an idiot's guide in the box. It is not really a question of Users opting to do anything, at the moment I do not believe that 90% of domestic users are aware that they have options.
    ...
    Unfortunately we live in a "domestic appliance" society...............people go to the electrical store, buy a tv, take it home, plug it in..............it AUTOTUNES and within a few minutes it is good to go. All they have to do after that is change the batteries in the remote? They look on computers in the same way.
    You are dead on Nihil. I just recently had to spend a good deal of time convincing my brother-in-law to purchase and plug in a NAT router on his newly installed broadband cable Internet connection. He was complaining about spending $50 US and thought that having anti-virus installed was enough. He thought his computer (Windows 98 even) would protect itself.

    Unfortunately this type of attitude is brought into work. Corporate workers also think that they can do anything (re.; click on attachment in email, download screensaver or clipart - infected with malware) because corporate IT security has got their back.

    There almost needs to be a separate Windoze OS for home users that has additional security protections and protects users from stepping on their own reproductive-member. I believe at one point Microsoft was considering this approach.

    Frustrating. Sigh.

  2. #12
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Ok, I have a simple question as I have little knowledge (trying to learn, though) of administrating a network's security.

    How do you protect against this sort of exploit (besides Snort, which would mearly catch the sploit in progress not stop it, if I understand correctly) when there is no patch out yet?

    Do you block every website at the gateway and whitelist the websites necessary for work?
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  3. #13
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I think that the term "vulnerability" is too widely abused.

    "vulnerability
    A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy."
    - NCSC-TG-004 Glossary of Computer Security Terms
    "vul·ner·a·ble ( P ) Pronunciation Key (vlnr--bl)
    adj.
    1
    a Susceptible to physical or emotional injury.
    b Susceptible to attack: “We are vulnerable both by water and land, without either fleet or army” (Alexander Hamilton).
    --snip--"
    - dictionary.com (or something)

    I think you can safely call it a vulnerability, if you just use the "common" people's definition.
    Double Dutch

  4. #14
    Blast From the Past
    Join Date
    Jan 2003
    Posts
    729
    ya know what... lamens terms rock

    i noticed when you are telling a client why you patched
    " IE is very vulnerable to attack by...." there eyes are like black holes in the sky
    their mind goes into " i dont understand anything about computers" mode and forget to interpuret *sp*... if someone thinks they know nothing they do know nothing

    there is hole which can take down your computer and send you back to me for another repair

    ok back to the bottle of skyy... peace
    work it harder, make it better, do it faster, makes us stronger

  5. #15
    How do you protect against this sort of exploit (besides Snort, which would mearly catch the sploit in progress not stop it, if I understand correctly) when there is no patch out yet?
    Do you block every website at the gateway and whitelist the websites necessary for work?
    That is definitely IMHO the best way, the old default deny policy - we will only allow you access to the things you can show us you have a business need to access.

    The problem with this is the kickback you get from the business areas about IT Security being a "cork in the butt of progress" - not my words but something Security has been called in our organisation.

    If you can get your organisation to implement this type of policy you are lucky and your job as a network security professional will be much easier with this type of support. What happens in most places though is you continually put out spot fires (such as this 'vulnerability') until something really bad happens, the organisation blames IT Security and then lets you do what you wanted to do in the first place

    I know I am being very synical but in my experience realistic.....

    The same thing happens with IE vulnerabilities all the time - you will find that the one common thread of these vulnerabilities is - "If the user accesses a malicious webpage ......" what is the easiest way to protect yourself from these vulnerabilities - DONT LET THE USERS GET TO THE MALICIOUS SITES.

  6. #16
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I think you can safely call it a vulnerability, if you just use the "common" people's definition.
    So you think it makes more sense to use a general's term in lieu of a computer security term in order to define a computer security issue?

    Without a clear and concise language there can be no communication... as such it makes no sense to use a superset when and appropriate subset answer exists.

    cheers,

    catch

  7. #17
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    So you think it makes more sense to use a general's term in lieu of a computer security term in order to define a computer security issue?
    I would prefer that they use English terms instead of leetspeak.
    Computer people are infamous for misusing the English language, as though
    they majored in mathmatics (or gaming) and skipped their English classes.
    Just for entertainment, try to look up how the term "social engineering" is
    used outside of the computer biz.

    Having said that, I would say, concerning this vulnerability, everyone
    involved could share the blame, but the OS vendor could have shipped
    the system with active scripting disabled by default. Then, when the
    user enables it, a dialog with a pithy warning pops up. Sounds reasonable
    to me.

    I know, catch will go apoplectic at the mere mention of defaults,
    as if they were irrelevant and tangential, but I think you gotta be pragmatic.
    I used to carefully config my MS-DOS systems, but windzz is a bit more
    complex.
    I came in to the world with nothing. I still have most of it.

  8. #18
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I am sorry... but I hardly see "Glossary of Computer Security Terms" as leetspeak. Every industry has its own lexicon... in medicine you wouldn't mix them up... why do so with computers?

    The fact of the matter is, that this isn't a vulnerability because the system never does anything that it isn't supposed to do.

    You can bitch about default setups all you like... really only two solutions exist:
    1. Require a license to operate a computer. (Now who's being elitist?)
    2. Remove the users' ability to damage their systems (TCPA anyone?)

    Clearly the first option is simply not viable... as for the second option. The same people who bitch the most about microsoft not enforcing stricter controls over their systems' configurations are the same people who are against TCPA.

    So... I'll put the question back on to you rcgreen:

    How is my grandmother going to figure out how to enable active scripting? Will a warning pop up or will she need to find the same documentation that currently tells her how to toggle this functionality? Will she have to activate it for every new site she goes to or will accessing her favorite site with scripting unlock everything, leaving her no different off than now, except the vendor can directly blame her?

    How do you make a system that my grandmother can easily use and expand while removing "vulnerabilities" where no actual policy violation occurs? I already know that you hate TCPA despite the fact that it does this perfectly, so what do you suggest?

    To the serious user, much less the policy controlled organization defaults are irrelevant. Every aspect as system functionality must be defined with regard to the policy... regadless of whether or not the desired setting is the same as the default setting.

    Lastly, to the security expert default secure settings can be quite a pain because it is harder to calculate the change in system policy when something is unlocked than something being locked. And when something needed is locked, the user is informed right away, if a flaw in the policy is created that grants undesired access, the user will not know until... at the earliest a system audit. For example

    Subjects (s1, s2, s3...)
    Objects (o1, o2, o3...)

    s1 +rwx(o1)
    s2 +rwx(o2)
    s3 +rwx(o3)

    In this situation each subject can read, write, and execute to one object for a very secure default setting. Now, let us grant a little more access...

    s1 +rwx(o1, o2)
    s2 +rwx(o2, o3)
    s3 +rwx(o3, o1)

    Now each subject can write to two objects... directly however now we have an issue of transitive rights. Each subject actually has the ability to read and write to every object...

    s1 writes maliciously to o2, s2 executes o2 which tells s2 to read o3 and write the results to o2. This is possible for every combonation. Now think what wuld happen with a more complex system? What if we take rights away?

    s1 +rwx(o1, o2) -wx(o2)
    s2 +rwx(o2, o3) -wx(o3)
    s3 +rwx(o3, o1) -wx(o1)

    Here we have added in deny write and execute for several objects. This configuration means that shared objects cannot be written to in one direction to prevent malicious modifaction and cannot be executed the other direction to prevent the execution of malicious modification the other direction. Granted this is not a very real world example it does show how removing access yields no unpredictable flaws in policy and functionality may be tested for immediately. (if an object needs to be access in some way and can't be... the system will make a fuss)

    cheers,

    catch

  9. #19
    The fact of the matter is, that this isn't a vulnerability because the system never does anything that it isn't supposed to do.
    That's very true. However, one could argue that all flaws in programming could fall under this category. Computers are simply unable to do anything they were not told to do. If the code does something unexpected, then it is simply the computer following the programmer's flawed instructions.

    Every industry has its own lexicon... in medicine you wouldn't mix them up... why do so with computers?
    While this is true, there are terms used by the medical community that are, for lack of a better term, "dumbed down" for non-medical people. A fair number of people would look at you funny if you said you had a Myocardial Infarction, but tell people you had a Heart Attack and everyone understands. Also, even "specialized" subsets of lanugage are subject to ambiguities and interpretation; such is the limitation of language as a whole.

    You can bitch about default setups all you like... really only two solutions exist:
    1. Require a license to operate a computer. (Now who's being elitist?)
    2. Remove the users' ability to damage their systems (TCPA anyone?)
    Option 1 isn't necessarily elitist. One must have a licence to drive a car, because it is a powerful tool, capable of causing a great deal of damage in untrained hands. How is that different from a computer, other than it might be less likely to directly cause someone's death? The computer is the most powerful communications tool yet concieved by humanity, and can provide a person with the capability of causing intentional (viruses/worms/identity theft/etc) or unintentional (botnet/worm distribution) damage. Option 2 is a more realistic approach though, since people would get in an uproar about having to be licenced to use a computer (and governments would be liable to make this a big cash-grab).
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  10. #20
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    How is my grandmother going to figure out how to enable active scripting? Will a warning pop up or will she need to find the same documentation that currently tells her how to toggle this functionality? Will she have to activate it for every new site she goes to or will accessing her favorite site with scripting unlock everything, leaving her no different off than now, except the vendor can directly blame her?
    That's a good philosophical question, with analogies in politics, law, ethics and religion.
    How can we have a world where people have powerful tools at their fingertips?
    How can we allow your grandmother to vote if we suspect she will not vote wisely?
    Isn't that a more potent weapon that could be used to harm herself and others?

    Maybe the voting machine should always default to the Republican candidate, unless she can
    find the hidden switch that will permit her to choose a Democrat. The fact is that there is no
    technological solution to moral, ethical or political problems. Our long-standing tradition
    is to wait till something breaks, breaks often enough in a particularly nasty way, and then
    fix it, test the results and see if there are any unintended consequences.

    People have to be permitted to make their own mistakes, at least until it is demonstrated
    that the consequences of the Laissez Faire approach are intolerable. Then, and only then
    do you write policy. Live and learn. So maybe after being embarrassed by these things
    often enough, Bill will tighten up those defaults just a tweak.
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •