[Internet Explorer] Critical Warning

[dduardo]

[Internet Explorer] Critical Warning!

There is a 0day IE6 remote exploit and code is already readily available on the Internet.

Background
---------------
A 0day exploit is such an advanced exploit that Microsoft hasn't created patches for it and probably won't start working on it until today. This means you'll be lucky to get a patch by next week.

A remote exploit means that no human input is required to become infected.

Affected Products:
-----------------------

Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
Microsoft Internet Explorer 6 for Microsoft Windows XP SP1

Microsoft Office 2002
Microsoft Office 2000
Microsoft Office XP
Microsoft Visio
Microsoft Project
Microsoft .NET Framework 1.1
Microsoft Access
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio .NET 2002
ATI Catalyst drivers
And More...

Solution:
-----------

Use Mozilla Firefox or use any other browser not Internet Explorer 6.

http://www.mozilla.org/

[edit] Update 1: SANS has release an UNOFFICIAL patch for this hole. You can find it here:

http://isc.sans.org/msddskillbit.php

Be warned that you will break programs that use the particular dll that is patched. This includes MS Office, .NET framework, Visio, etc

Use it at your own risk.

 

[hitssquad]

Solution:
-----------
Upgrade to Mozilla Firefox or use any other browser not Internet Explorer 6.

op·por·tun·ism
noun

: the art, policy, or practice of taking advantage of opportunities or circumstances, especially with little regard for principles or ultimate consequences

 

[dduardo]

Hey, what do you want me to say? Just don't use Internet Explorer 6? I have to give people options.

 

[JamesU]

f-i-r-e-f-o-x i-s b-e-t-t-e-r

 

[mattmns]

Little regard toward ultimate consequences, I would have to disagree with that part.

I personally do not see what is wrong with dduardo's post. I could see people being safer by not using IE for the next week or so.

 

[dduardo]

This is from an older exploit but still applies:

"CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions."

For those who don't know: U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.

Internet Explorer is a national security risk.

 

[hitssquad]

Are you talking about this one?
frsirt.com/exploits/20050817.IE-Msddsdll-0day.php

 

[dduardo]

Yes, that's the exploit code. Thanks for posting it.

 

[hitssquad]

It is ActiveX based.
http://www.emediawire.com/releases/2005/8/emw274468.htm

It does not affect anyone who does not have ActiveX enabled in his security settings.

 

[dduardo]

The problem is most people have ActiveX enabled. It's on by default.

 

[DaveC426913]

Hey, what do you want me to say? Just don't use Internet Explorer 6? I have to give people options.

Options. Yah. Not that you're biased or anything...

 

[mattmns]

He is giving the best option there is for windows users, imo.

Other options include:

Opera: www.opera.com (great browser, but has ads unless you buy it)
Netscape: Terrible, hardly worth even mentioning. http://www.netscape.com/
Mozilla: Might as well use firefox. http://www.mozilla.org
Kmeleon: http://kmeleon.sourceforge.net/ (Have not tried this one)

 

[dduardo]

Options. Yah. Not that you're biased or anything...

Go ahead and pick anything other than IE. That's fine.

 

[DaveC426913]

He is giving the best option there is for windows users, imo.

Certainly. Let's just call a spade a spade and not pretend that dduardo's interests are wholely altruistic, or given with *our* best interests in mind. As HitSquad points out, an ostensible warning about a virus was used opportunistically to flog Firefox.

 

[mattmns]

I think given that there have been new critical worms that just came out and now this IE exploit, this is definitely in the best interest of anyone using Windows and Internet Explorer. Yes dduardo may have used it to promote firefox, but firefox is one of the best alternatives to IE.

If your car had some serious problem you would probably swap it for a rental, or another car for a week or so, and I think the same can be said for web browsers. IE is having some major problems at the moment and therefore people should look to other browsers for now.

 

[dduardo]

Certainly. Let's just call a spade a spade and not pretend that dduardo's interests are wholely altruistic, or given with *our* best interests in mind. As HitSquad points out, an ostensible warning about a virus was used opportunistically to flog Firefox.

I am posting internet security warnings that are rated critical and could potentially harm a large group of people. I could careless if it has to do with IE or not. I'll post firefox security warnings if the exploits are critical. My intention is to inform people of security problems that could cause major loss of data or cause data to be compromised.

What do I have to gain by promoting Firefox? I'm not a mozilla developer. I'm not making money off firefox. I'm not competing against Microsoft. I just firmly believe that firefox is a better browser than IE. Is that wrong? Is it wrong for CERT to recommend that people use another browser? I'm not forcing you to switch. That's your poragative. Don't turn this into a religious war.

 

[Evo]

I for one applaud dduardo for bringing the potential problem to people's attention, even if he is getting $50 every time someone installs firefox.

 

[Skyhunter]

How go you turn off Active-X controls?

 

[dduardo]

If you turn off active-x you won't be able to visit microsoft's update site. In addtion you could also end up crippling some of your common software apps like excel, word, etc since they use active-x controls to run various scripts. But this depends on which features of the software you use.

If you surf the web with any other browser other than IE and don't use IE within other apps like outlook you should be fine. Only use IE to visit mcirosoft's update site. This is how I do it with windows machines I admin and they are always up and running without problems.

 

[Moonbear]

I for one applaud dduardo for bringing the potential problem to people's attention, even if he is getting $50 every time someone installs firefox.

I was going to ask if he has stock in Mozilla. Why is everyone jumping on dduardo for recommending something that's free to download? It's not like he's selling something, he's recommending a free alternative to a browser that currently presents a security risk. If you feel committed to IE for whatever reason, just use Firefox for a week or so until there's a patch available and then go back to IE again. I can't even remember a time when I didn't have two browsers installed on my computer and am having a hard time understanding why people are so worked up about it.

I appreciate that dduardo is trying to keep people informed of security threats that are popping up right now.

 

[mattmns]

Microsoft is a big company, and I am sure some people here have stock in MS. Personally I would not like someone messing with my money either.

 

[hitssquad]

If you feel committed to IE for whatever reason, just use Firefox for a week or so until there's a patch available

IE is not a security risk. ActiveX is. Firefox does not have ActiveX. IE let's you turn it on or off. IE is just like Firefox when you turn ActiveX off.

 

[Moonbear]

IE is not a security risk. ActiveX is. Firefox does not have ActiveX. IE let's you turn it on or off. IE is just like Firefox when you turn ActiveX off.

But it sounds like IE doesn't work very well if you turn off ActiveX.

 

[hitssquad]

But it sounds like IE doesn't work very well if you turn off ActiveX.

If IE didn't work very well with ActiveX turned off, how would Firefox work any better?

 

[mattmns]

Don't you need XP SP2 to turn ActiveX off?

edit.. Maybe not, I have seen solutions for turning it off in IE 4 and 5.

 

[hitssquad]

IE security options

Don't you need XP SP2 to turn ActiveX off?

No. IE has a security settings panel. Tools > Internet Options > Security > Custom level. There are five different categories for ActiveX, with options for on, off, or prompt. If you don't want to individually adjust security settings, you can use the security templates: Low, Medium-Low, Medium, High.

 

[dduardo]

If IE didn't work very well with ActiveX turned off, how would Firefox work any better?

The issue with turning off ActiveX is that IE isn't the only program that uses it. For instance, MS Office's VB Macros use ActiveX. A lot of companies use this and it isn't practical to start disabling ActiveX. There are also a bunch of other program s that can be affected by turning off activex. You also can't visit Windows Update if you have activeX disabled. Since you can only get exploited by opening up an html document in IE/Outlook, why not just replace the applications were you're most likely to open an html documents? Firefox, Opera, etc are good replacements for browsers while Thunderbird,Eudora, etc are good replacements for outlook.

Btw, hitssquad, do you have stock or invested interest in Microsoft or any of its affliate companies?

 

[Monique]

You will get a pop-up that ActiveX was blocked and you can opt to install it, such as on the Windows Update site, never had a problem with that setup.

 

[Evo]

At my last job, I found out after 18 months that I didn't have ActiveX enabled, it was only when I tried to use a special new system that I was prompted for it. I've never needed it for anything else apparently.