*** HEADS UP *** Its IE again :rolleyes:

Greeting's

Quote:

---

Jeffrey van der Stad has reported a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error when handling .HTA applications and allows execution of the .HTA application on the user's system without any user interaction when e.g. visiting a malicious web site.

The vulnerability has been reported in Internet Explorer 6.0. Other versions may also be affected.

---

Quote:

---

Disabling Active Scripting support may prevent exploitation, but has not been proven.

---

For more inforamtion :

http://secunia.com/advisories/19378/

http://jeffrey.vanderstad.net/grasshopper/

w00t....

ANOTHER example of a vulnerablity that will have no effect on a properly configured and secured system.


Yeah.... go d0ppy!!!!

Synja we all know that, the problem is that most people don't have their systems properly protected and are still using IE.

If everyone knew how to protect themselves the minute they buy a computer, what would AO be here for? :D

Quote:

---

Synja we all know that, the problem is that most people don't have their systems properly protected and are still using IE.

If everyone knew how to protect themselves the minute they buy a computer, what would AO be here for?

---

What's wrong with IE? If configured properly, it is not affected by this vulnerability, nor any of the hundreds of others we keep hearing about.


It's not Microsoft's fault that people are stupid. If you're going to spend upwards of a thousand dollars on a machine, wouldn't you be concerned with learning how to take care of it?


And one last thing. Most people here DO NOT know that. They're just as ignorant as the rest of the world.

Quote:

---

a properly configured and secured system

---

This topic has been discussed many times, and created lots
of heat. When a normal consumer buys a PC, he expects it
to be "internet ready". The irony is that, with its security zones
feature, IE could be as good or better than Firefox on both
security and functionality. Experience proves, though, that if
it isn't set up right by default, few people will be able to
secure it later. Maybe people should have to go to a "surfing
school" before they're allowed on the net. Geez. New cars include
brakes, turn signals and seat belts from the factory.
:cool:

Quote:

---

Originally posted here by Synja
It's not Microsoft's fault that people are stupid.

---

But it IS their fault stupid people own computers. "Easy to use Windows means you won't have to sit down with tech manuals and learn anything".... Lol, come on man you have to give me that much. Microsoft is the reason the PC exploded. That comment is both good and bad at the same time.

Personally I think Bill Gates is schadenfroh ;)

Quote:

---

ANOTHER example of a vulnerablity that will have no effect on a properly configured and secured system.

---

Quote:

---

Yeah.... go d0ppy!!!!

---

Quote:

---

What's wrong with IE? If configured properly, it is not affected by this vulnerability, nor any of the hundreds of others we keep hearing about.

---

OK wise guy...............in the next seven days (and that is lots of time) I expect you to post a tutorial that joe public can understand telling them how to secure IE/Windows from how it comes out of the box.

"I see your lips moving, but you ain't sayin nothin"

Challenge issued


:cool:

Quote:

---

Originally posted here by Synja
What's wrong with IE? If configured properly, it is not affected by this vulnerability, nor any of the hundreds of others we keep hearing about.


It's not Microsoft's fault that people are stupid. If you're going to spend upwards of a thousand dollars on a machine, wouldn't you be concerned with learning how to take care of it?


And one last thing. Most people here DO NOT know that. They're just as ignorant as the rest of the world.

---

you do hava a point, synja. I like firefox anyway though becuase of the layout and the extensions that you can donwload for it.

Quote:

---

Challenge issued

---

I've already been working on it.


It will most likely be a pdf. I will host it on eightfootvagina.com fror everyone to download.


It will be within a week assuming I get enough time to do it. I have baby duties right now, and he won't let me put him down.(he's in my lap right now.)

Man if I had a baby..... Heh actually almost had a heart attack once. My ex said these words:

"Ummm, honey I'm late"....

Me: "Huh? No you're not you got here on time..."

"No no, I mean I'M LATE"...

Me: "OH MY GOD NOOOOOOOOOOOOOOOOOOO!"



2 weeks of chain smoking and drinking later:


"It came now, I went to the Dr and nothing was wrong"...

Me: "OH THANK GOD!".


If that would have happened though I think instead.... I need to say this, it's offensive as hell but everyone in my class laughed:

In my political science class we were talking about Abortion and laws about it. My teacher asked "What do you think would happen if abortion WAS made illegal in the US?"

Me, without raising my hand or thinking about it blurted out "Well coat hanger sales would sky rocket".


But in all seriousness I would have bought this:

http://www.cinderblock.com/wc.dll?We...93785637937856

http://www.cinderblock.com/wc.dll?We...93785637937856

Come on those are adorable and you know it.

Quote:

---

I have baby duties right now

---

I'm thinking a couple more years and he'll be looking after you... :D

I always thought IE was safest when run under linux.

Quote:

---

I always thought IE was safest when run under linux.

---

IE is safest when run under a NT version of Windows. Assuming yer not a complete asshat.

It runs pretty good under Crossover Office. CO would even warn on on activex scripts. Funny thing, IE would crash doing the Windows updates.

:cool:

I just love self righteous, know it all bastiges... Just leave them for a while and they always trip over their own crap....

Quote:

---

I just love self righteous, know it all bastiges... Just leave them for a while and they always trip over their own crap....

---

I am not self righteous. I am arrogant. There is a difference. I think.

Quote:

---

I am not self righteous. I am arrogant. There is a difference. I think.

---

Yes, the latter smells from a distance...

:eek:

Quote:

---

I am not self righteous.

---

You're not very smart either... or you would have known that the comment wasn't aimed at you... Dummy... ;)

What's funnier is the fact that the target didn't get it yet....

Tiger Sharks eat crows too.

Naaaahhh... Need more garlic....

Film quote... ;)

It was a joke.


Goddammit. None of us are funny today.

Quote:

---

Goddammit. None of us are funny today.

---

...ain't that the truth. :(

Quote:

---

Goddammit. None of us are funny today.

---

/me looks at everyone's profile pictures, points, then laughs.

Yer fugly.

internet explorer: allowing your computer to browse the internet. and vice versa.

;)

Bleh... I'll never use a browser like firefox for the same reasons why I'll never use AOL even though the commercials told me its much better and safe...

or install linux because I blame MS software for my own ignorance and inability to do medial tasks with computers.

Quote:

---

And one last thing. Most people here DO NOT know that. They're just as ignorant as the rest of the world.

---

Synja don't practice "security by obscurity;" that is, don't assume users are stupid. Some users are smarters than your assumptions. ;)

Quote:

---

people don't have their systems properly protected and are still using IE.

---

I disagree. IE can be very secure if you configure it properly. Also, you cannot secure third party web browsers (mozilla/firefox) through GPO, Like you can with IE.

Also, some sites only work in IE. I use IE. My box is also secure like Fort Knox.

Quote:

---

Synja don't practice "security by obscurity;" that is, don't assume users are stupid. Some users are smarters than your assumptions.

---

You have to assume that users are stupid and will not use common sense. You have to secure to the lowest common denominator. This is in no way security through obscurity.


Notice I said "most?" If you disagree with that, you have an insanely ignorant and lofty view of our memebership. It was not all inclusive. Obviously we have some very good people here. They are still outnumbered by idiots.

Quote:

---

Originally posted here by Synja
You have to secure to the lowest common denominator.

---

If you want to do that line all of your users up and kill them.

Quote:

---

If you want to do that line all of your users up and kill them.

---

Now THAT is a security tip....

Hell yea, most attacks are internal anyway. And you wouldn't need to worry about one of them being tricked into giving out info, and just think how fast Network problems would go away.... *Dreams*.

Hey guys...dont be killing all the stupid lusers....they pay my bills...and keep me in wine :D

MLF

Well it would even out, they are probably the reason you drink in the first place. :)

Quote:

---

Well it would even out, they are probably the reason you drink in the first place.

---

Youve got that right..... ;)

MLF

hi all,
i went through an article at security focus (http://www.securityfocus.com/news/11384) they mention that,

Quote:

---

Marc Maiffret, chief hacking officer for eEye said in a statement announcing that company's fix. "Again, this is just another mitigation option until Microsoft releases their patch, which last was scheduled for April 11th, or 16 days from now."

---

why is this constantly happening that microsoft donot offer patch at the instant the exploit is released? I think this is the second time a third party is offering a limited solution for the problem.

another intersting info

Quote:

---

Hi gang, Stepto here again.

The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center. I want to reiterate that the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers (right now our testing plan has it ready in time for the April update release cycle). But if you’re concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability.

As always we will keep you up to date with the latest information as we get it.

---

source: http://blogs.technet.com/msrc/archiv...27/423176.aspx

Thanks

Hey Hey,

Quote:

---

why is this constantly happening that microsoft donot offer patch at the instant the exploit is released? I think this is the second time a third party is offering a limited solution for the problem.

---

There's a number of reasons for this..

1. They have a monthly patch cycle
2. Many enterprises won't just roll out the patch anyways... They have resources set aside for Patch Tuesday to do the testing and ensure it won't blow up their production environment... They don't have the extra resources for out-of-band releases
3. A lot of users don't run automatic updates because they don't like having stuff downloaded to their computer without their knowledge... Those people won't just randomly check for updates.
4. They want everything to be extensively tested... updates are quite often larger than they appear

Let's give you an example... a big office update comes out.. The update involves the Multilingual User Interface (MUI). The MUI allows you to add additional languages to various language packs that already exist.. So you have Spanish Office 2003... You could add French and Italian with a MUI pack. Now think of the possible combinations.. Any language... with any combination of other languages... You want to be sure that your update isn't going to break any of these variations... and the variations are all different.. just check out the Reg Keys that each set gives you.. the reg. keys can very...

Third parties may release their patches ahead of Microsoft... however are they as extensively tested? Very doubtful... that's why they generally have disclaimers attached to them... They aren't necessarily reliable. They may only work on certain installs under certain configurations... They may break other functions (We've seen patches and workarounds that have done that in the past)... Microsoft doesn't have to just fix the problem.. they have to fix the problem and not create any others... that's a very different ball game.

Don't let the MS bashers convince you that Out of Cycle/Out of Band patches are a good idea... There was a recent thread on full disclosure from the n3td3v group... It's kinda a joke on FD... and they were saying that MS should make patches available immediately... the public response was the same thing.. it'd hell on enterprises, doesn't have enough benefits and doesn't ensure that proper patch testing is performed.... I'd rather wait 30 days at risk for Microsoft to fully test the patch and know that it won't break anything, than have it corrupt an OS or worse incorrectly interact with my hardware... or create an even bigger security hole...

Check out the FD thread @ http://seclists.org/lists/fulldisclo.../Mar/1581.html

Peace,
HT

Greeting's

What SANS says about the temp patch :

Quote:

---

At this point, we do not recommend applying this temporary patch for a number of reasons:

The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.

We have not been able to vet the patch. However, source code is available for the eEye and the Detmina patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)

Exploit attempts are so far limited. But this could change at any time.

---

It also says :

Quote:

---

Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

---

And finally

Quote:

---

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

---

There is a link in the article :

1.http://www.securityfocus.com/news/9004


Link to the article itself

http://www.isc.sans.org/diary.php?storyid=1226


Anyway HTRegz has give enough information about why the company cannot release the patch on the very next day or even within few day's

Its just like some anti-viruses, for e.g Symantec releases Def's through liveupdate every week and only if needed in case of a level 3 or above outbreak ASAP. But you can always download daily def file from the site (although its 10Mb)

Quote:

---

Originally posted here by ByTeWrangler

Its just like some anti-viruses, for e.g Symantec releases Def's through liveupdate every week and only if needed in case of a level 3 or above outbreak ASAP. But you can always download daily def file from the site (although its 10Mb)

---

This is a great example of improper patch testing... Remember what happened a few weeks ago when McAfee released their update that wasn't properly tested... It was suddenly removing excel and many other programs from the users computer..

Peace
HT

Hi Guys,

I haven't read back through this thread recently, so i apologise if this has been posted

It looks like the scammers have now got a grip on these problems and are exploiting them:

http://news.bbc.co.uk/1/hi/technology/4864072.stm

Basically they are creating an e-mail that has current excerpts from the BBC News website with a more link underneath. When you go to that link it takes you to a fake BBC News site that installs a Keylogger or Trojan. The point is to get your financial info. Its always driven by money :rolleyes: