New Phishing Flaw in Internet Explorer

[zencoder]

I think it's funny everyone is trying Firefox. Secunia specifically states this is an IE exploit. I was mostly being a sh!t, poking fun at the IE zealots.

<soapbox>
Internet Explorer will always be a bigger risk for the unlearned home users who run everything as a priviledged account. Yes, Firefox and the other browsers are at risk too in that setting, but they don't suffer from the further fatal flaw of being embedded into the operating system.
</soapbox>

Seriously, I'm not trying to start an argument or another MS is [better|worse] than open source, and when properly configured IE seems to be just as secure as any other segregated application. But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

[Spekter1080]

though vulnerable, couldn't one see that the page changes (refreshes, redirects, any change)? Shouldn't one be suspicious of this, especially on a trusted page? when I tried the test on secunia, I could tell that the page was changed (not because of the content). Could this exploit be made to change faster or in a more subtle fashion? idk, I say the effectiveness of this exploit against a user with a good head on their shoulders is limited. Am I missing something?

[dopeydadwarf]

though vulnerable, couldn't one see that the page changes (refreshes, redirects, any change)? Shouldn't one be suspicious of this, especially on a trusted page? when I tried the test on secunia, I could tell that the page was changed (not because of the content). Could this exploit be made to change faster or in a more subtle fashion? idk, I say the effectiveness of this exploit against a user with a good head on their shoulders is limited. Am I missing something?

While this might be true to us, this doesn't hold water to the large majority of Internet users today. Click Click Click Click this is all they know. I say the users on the internet with a good head is limited.


/2 cents

[zencoder]

Originally posted here by zencoder
I think it's funny everyone is trying Firefox. Secunia specifically states this is an IE exploit. I was mostly being a sh!t, poking fun at the IE zealots.

<soapbox>
Internet Explorer will always be a bigger risk for the unlearned home users who run everything as a priviledged account. Yes, Firefox and the other browsers are at risk too in that setting, but they don't suffer from the further fatal flaw of being embedded into the operating system.
</soapbox>

Seriously, I'm not trying to start an argument or another MS is [better|worse] than open source, and when properly configured IE seems to be just as secure as any other segregated application. But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

I was negged (by a retired member. Grow up and stop trolling...if you don't participate, your negative AP's really don't matter) for my closing statement.

I offer documentation to back my position.

[zencoder]

Originally posted here by zencoder
I was negged (by a retired member. Grow up and stop trolling...if you don't participate, your negative AP's really don't matter) for my closing statement.

I offer documentation to back my position.

From the document in the previous post:

TO better understand the operating system's dependency on IE, iDefense Labs removed IE from a default installation of Windows XP. Decoupling the browser from any Windows version after 98 is a complex and poorly documented process. <snip>

The decoupling process was far from straightforward. It involved booting from a floppy disk and removing numerous Dynamic Link Library (DLL) and executable files. It is important to note that simply removing IE through the Add/Remove Applications program in the Control Panel merely removes shortcuts to the browser from the desktop and Start meny; it does not permanently remove any components of IE. snip

iDefense lab test show that the following features of Windows fail to work properly when IE is removed:

• Windows Update
• Device Manager
• Remote Assistance
• Help and Support
• All Troubleshooting Wizards
• Activate Windows
• Disk Defragmenter
• Disk Backup
• Program Compatibility Wizard
• Address Book
• Search For People
• Windows Media Player
• Windows Catalog
• Hearts and Spider Solitaire
• Internet Games

As shown, key functionality is broken when IE is removed. For example, some of these applications are critical to the security of the computer, such as Windows Update and the Device Manager. These applicatins may have failed because the DLL files that handle Web connectivity through IE were removed with the browser. Certain DLL files were restorded to see if this was indeed the case; however, this further distorted the desktop, dut did restore some functionality in select applications. This demonstrates the deep level of integration between IE and the operating system. Because os this, iDefense recommends that users not attempt to remove IE from Windows.

Stick that in your pipe and smoke it. And damnit, I'm more mad that I let you get to me, than the fact that you actually got to me. Stop trolling. No one (who is still here) is impressed by you.

[Soda_Popinsky]

Funny, this doesn't work when IE security is set on "high". It's a good thing I don't trust sites I don't own!

But in it's default setting, which is how the majority of people use it, using IE is asking for trouble more so than any other browser.

I like to think that this site is about security, not a social problem...

[zencoder]

I would like to think that as well. Unfortunately, the social problems are not always controlled by "security". We often have policy and EULA's to tell people what they CAN and CAN NOT do. Doesn't mean they WILL do it...au contrare, if you put up a sign "Stay off the grass" people show up with Footballs. :P

[HTRegz]

Hey Hey,

Zen... sometimes iDefense doesn't take the greatest approach...

They went in and deleted DLLs... let's think about this logically..

In Windows you have DLLs... Dynamic Link Libraries.. yada yada yada..
In *nix you have Libraries...

Let's say you compile software in *nix and dynamically link it to the library... What's going to happen if you turn around and delete the library that it's linked to and then try and run the software??? It won't run..

Just because software uses a DLL it doesn't mean that the DLL in question is actually part of the software... it could be a system DLL that the software is making calls against... (This matches with what catch said in another thread that IE just makes proper use of APIs documented in the MSDN)..

So IE is compiled and dynamically linked to the DLLs... (makes sense... the file size will be decreased).. iDefense decides to reverse engineer IE and get's a list of all DLLs that it makes calls against... they then boot off a floppy and delete these DLLs to they can "fully" remove IE... they've now removed system DLLs... other programs that call upon these libraries can no longer function...

There is software out there that will help you remove IE.... example: http://www.litepc.com. Could Microsoft make it easier to remove the browser??? Yes... but why should they... it's more work on their part for something seldom people would do... Every OS ships with a browser these days....
When I install SuSE I Get KDE and Konqurer (a file browser and web browser)
When I install Ubuntu I get Gnome and FireFox Chrome (1.07, which isn't updated via their auto update system to 1.5.0.2)
When I install OS X, I get Safari....

Everyone bundles their software... no one makes it overly easy to remove it... why add those extra steps... At least Microsoft has now provided a way to do the Windows Genuine Check with Firefox... I can remember when that wasn't possible... Just because IE's on your system doesn't mean you need to use it... it's your own choice to use it...

But as I said... iDefense prolly wiped out some standard DLLs and fubar'd their install..

Peace,
HT

btw... notice how if a new member had come back and posted because someone had negged them... we'd neg the newbie and give them enough warnings to scare them away from the site?... maybe we need to rethink things in one way or another..

[brokencrow]

Anybody ever tell you IE is evil, HT?

[HTRegz]

Originally posted here by brokencrow
Anybody ever tell you IE is evil, HT?

Once again I see a useless post from you that leads me to question your IT abilities yet again... Why is IE evil??? Because users choose to run it in the default configuration??? That doesn't make the software evil... that makes the user stupid... but we've already had this discussion... and we know we're not going to get anywhere with it... Oracle went ahead and published exploit code on their website for their own vuln... it was a mistake but still.. they did it... Do you want to say that oracle is evil as well... I'm sure we could come up with plenty of other software as well... the latest firefox update fixed... I believe 7 vulns of varying degrees of severity... do we want to call firefox evil... IE had 10 and everyone makes a big deal.. but firefox had 7... what's that any different... 1 is bad.. more than that is just extra frosting..

Peace,
HT