http://secunia.com/advisories/12048/

These vulnerabilities are there, even on an unpatched system. The only things you can do is turn off Active Scripting or switch to another browser.

Critical: Extremely critical
Impact: Security Bypass, Spoofing, System access
Where: From remote
Software: Microsoft Internet Explorer 5.01, Microsoft Internet Explorer 5.5, Microsoft Internet Explorer 6

Description:
Paul has reported some vulnerabilities in Internet Explorer, allowing malicious people to bypass security restrictions and potentially compromise a vulnerable system.

1) It is possible to redirect a function to another function with the same name, which allows a malicious website to access the function without the normal security restrictions.

Successful exploitation allows execution of arbitrary script code in the context of another website. This could potentially allow execution of arbitrary code in other security zones too.

2) Malicious sites can trick users into performing actions like drag'n'drop or click on a resource without their knowledge. An example has been provided, which allows sites to add links to "Favorites". However, resources need not be links and the destination could be different than "Favorites".

This issue is a variant of an issue discovered by Liu Die Yu.
SA9711

http-equiv has posted a PoC (Proof of Concept), which combined with the inherently insecure Windows "shell:" functionality, can be exploited to compromise a vulnerable system.

3) It is possible to inject arbitrary script code into Channel links in Favorites, which will be executed when the Channel is added. The script code is executed in Local Security Zone context.

4) It is possible to place arbitrary content above any other window and dialog box using the "Window.createPopup()" function. This can be exploited to "alter" the appearance of dialog boxes and other windows.

Successful exploitation may potentially cause users to open harmful files or do other harmful actions without knowing it.

An additional issue allowing malicious sites to inject script into the Local Security Zone using anchor references has also been reported to affect Internet Explorer 6 running on Windows XP SP2 (release candidate / beta). This issue could not be confirmed on a fully patched Windows XP SP1 system.

Issues 1-4 has been confirmed on a fully patched system with Internet Explorer 6 and Microsoft Windows XP SP1.

Previous versions of Internet Explorer may also be affected.

Solution:
Disable Active Scripting.

Use another product.

Make sure give another browser a try =)

Issues 1-4 has been confirmed on a fully patched system with Internet Explorer 6 and Microsoft Windows XP SP1. Um, did you miss the part in the article where it's stated these flaws exist on a fully patched system?

I read: This issue could not be confirmed on a fully patched Windows XP SP1 system. I skimmed through the article and incorrectly read that, my bad =)

However on Yahoo I found this interesting.

Security flaws in Microsoft's (MSFT) ubiquitous Web browser are breathing life into Internet Explorer's rivals. Since early June, Explorer's share of the market has dropped from 95.48% to 94.42%, according to San Diego Web analytics firm WebSideStory.

/cheer

I'm gonna have to start building an archive of these links. There's a good 15ish links out there now on real sites about IE bugs.

It's amazing it's taken this long really for it to hit the news sites. IE's has always been a buggy browser. It's always allowed spy ware to be installed, viruses, etc. It's about time the news finally caught up with it.

Oh and don't worry, even if SP2 patches these holes, there will be many more found shortly after it's release. No use in exploiting bugs in a beta product.

Bah, just don't use I.E. Only reason why I still use it, is because 70% of people who view the Grove still use it....Grrrr.

BTW There were 5-6 Critical Updates posted on Windows Update today. Go patch!

In other news, SP2 is delayed at least a month, and Microsoft Product Update Services is delayed at least a year. Take your time guys, not like your OS is a mess or anything!

Well maybe posts like these can start to trim that number down. I have IE on my computer for two reasons. One, you can't get rid of the damn thing it's so frelling integrated into the OS. Two, I need to know if the web page I make shows up correctly in it.

I use IE, I use XP, I use Win2k3 and honestly, I've never had any of these issues that everyone complains about. But then again, I don't go to **** sites, or "shoot the duck" sites, or anything like that. The only time I go to "risky" sites is when I'm looking for... erm... "software". But on those, I usually scope it out with my test box first, loaded to the gills with AV software. I hate using cds with my games, so the first thing I usually look for is no-cd hacks, and I only download those from trusted sites.

It's amazing what you can avoid with just a little discretion.

And besides, I haven't found any other OS that I'd rather work with. Browser? Meh, I could care less. I started off with Netscape 2.0 and loved it, then it started to suck around 4.0 and I switched to IE and never looked back. I cant remember the last time IE crashed on me, mishandled a page layout, or borked anything else on my box. Both ADAware and SpyBot are common programs on my machine, but they hardly ever find more than a handful of items - and usually they're nothing more than "data-mining" cookies.

I cant remember the last time IE crashed on me, mishandled a page layout, or borked anything else on my box.

On the flip-side, Firefox hasn't crashed once yet for me or borked anything else up either. It does screw up some page layouts, but that's not the fault of the browser. It's sloppy coding on the webmonkey's part. IE gives a lot of leeway to sloppy coded webpages. Firefox and the other mozilla browsers follow the strict W3C coding standards.

Think of it this way. Would you rather have a security system that requires an exact sequence of six numbers or one that lets you punch in a number that's slightly off here or there? =)

<-- Runs Moz Fx and never has to worry about any website I goto; this also means i can check out melisious websites w/out worry.

<-- Runs AdAware aprox once ever 2-3 month, never finds anything.

<-- Auto runs Anti Virus weekly, never found anything in the past 3 years.

So ... I'll keep with my Fx. ;)

A website is not a security center, and with "Bloggers" making more and more people "HTML-heads" you'll see more amateur websites before you see pro websites. If a browser's going to bork up a site because it's missing < / HTML >, /shrug, I don't need it.

And the only times IE's crashed on me is when waiting on something like Flash or RealMedia (uninstalled that POS rather quickly, I might add).

As far as market dominance, it's done and over. MS got their browser share, and got what they needed done. They've moved on to search engine technology now. If they lose 1-5% of the market share from this point on, it's a rather moot point because everyone's still coding for IE.

Ah, don't be so smug Mozilla users. I just read about a Mozilla security hole. :p As more people start to use it, more holes will be found and exploited. It's inevitable.

I tried the SP2 beta and unloaded. It brought my machine to a crawl and I couldn't run CoH with it installed. It was horrid.

You couldn't possibly be refering to the <a href="http://story.news.yahoo.com/news?tmpl=story2&u=/nf/20040709/tc_nf/25807">security flaw that was found in IE was found in Mozilla browsers</a> right? ;)

I use IE, I use XP, I use Win2k3 and honestly, I've never had any of these issues that everyone complains about. But then again, I don't go to **** sites, or "shoot the duck" sites, or anything like that. The only time I go to "risky" sites is when I'm looking for... erm... "software". But on those, I usually scope it out with my test box first, loaded to the gills with AV software. I hate using cds with my games, so the first thing I usually look for is no-cd hacks, and I only download those from trusted sites.

It's amazing what you can avoid with just a little discretion.

And besides, I haven't found any other OS that I'd rather work with. Browser? Meh, I could care less. I started off with Netscape 2.0 and loved it, then it started to suck around 4.0 and I switched to IE and never looked back. I cant remember the last time IE crashed on me, mishandled a page layout, or borked anything else on my box. Both ADAware and SpyBot are common programs on my machine, but they hardly ever find more than a handful of items - and usually they're nothing more than "data-mining" cookies.


Are you me? That is exactly what I was thinking.

I can not get the updates due to some of the security settings I have. Could anyone please tell me how to get it back to the default setting so that it will update windows and then what I need to have either disabled or put to prompt in order to keep the machine safe after the update is done?

I'd really appreciate the help, I got the info from here on what to change in there a long time ago, but have forgotten which I changed about. I'll make a note this time :). Thanks again for any help.

You couldn't possibly be refering to the <a href="http://story.news.yahoo.com/news?tmpl=story2&u=/nf/20040709/tc_nf/25807">security flaw that was found in IE was found in Mozilla browsers</a> right? ;)
More like the recent bug that MS claimed to have fixed in SP1, but didn't (http://software.newsforge.com/article.pl?sid=04/07/08/2327246&mode=nested&tid=78&tid=82).
The kicker is that this isn't even a problem with Mozilla; it's a problem with Windows Explorer. Windows XP Service Pack 1 was supposed to have closed this hole, but apparently it is still functioning and leaving Windows systems open to remote attack. So the Mozilla team worked to patch a hole that had little to do with their project.
Besides, all it did is give shell: ability, which was easily patched before the announcement was made. On top of that, IE is still vulnerable the last I herd. Although, I hadn't patched the lastest 5 updates to IE released today. There's been more security holes found in Opera releases then any of the Geko releases. I think this is like the second or third found for Geko, on release (naturally I'm not counting nightly, beta builds).

I can not get the updates due to some of the security settings I have. Could anyone please tell me how to get it back to the default setting so that it will update windows and then what I need to have either disabled or put to prompt in order to keep the machine safe after the update is done?

I'd really appreciate the help, I got the info from here on what to change in there a long time ago, but have forgotten which I changed about. I'll make a note this time :). Thanks again for any help.
You need to enable ActiveX in IE. Go fig, the root cause of all this is required to update your OS. :lmao:

In IE it's in your advanced options someplace...exactly where? heh, no sure. ;p

*laughs* That flaw in Mozilla based browsers is due to faulty Windows programming and a bad default configuration in Mozilla. The flaw is due to shell: functionality in the Windows OS. It was turned on by default in mozilla browsers. Soon as that flaw was discovered, the same day, Mozilla.org released a patch and upgraded the browser downloads. Works for me.

Oh I see, because Mozilla patched it, it's all ok.
I see.
/sarcasm.

Oh I see, because Mozilla patched it, it's all ok.
I see.
/sarcasm. The same day. What about many of IE's vulnerabilities that as of yet, remain unpatched? Mozilla isn't at fault for the shell: vulnerability. That's a problem with Windows Explorer, or are you just convieniantly going to ignore that?

Oh I see, because Mozilla patched it, it's all ok.
I see.
/sarcasm.
You do realize this isn't a bug in mozilla? This is what you call an oversight. MS claimed to have fixed in Windowx XP SP1, but obviously did not. Opera users are busy gloating that Mozilla "should have known" as their excuse to bash Fx's oversight.

I just don't see what you're getting at. So, you can exploit an open hole in the Windows OS by clicking on a shell: link within Mozilla. Did you know you get the same thing cliking on a shell: link in IE (at least before the today's patches--a week later. Not sure about after since i hadn't installed them)? Atleast Websites aren't auto-installing viruses just by visiting them. ActiveX is the most insecure development lanaguage ever created, and you're still supporting it? (using a Linux avatar) :guin:


I wonder if IE still auto runs .dll files embeded within webpages. I don't seem to recall that ever hitting the news. As far as i know, the bug might still be open. Good thing it doesn't effect ... oh .. every other browser on the internet; Mozilla, Netscape, Opera, Firefox, Safari, Lynx, Camio, K-Melon, etc.

Not all penguins are Linux avatars, just Tux, a specific penguin.

Use what you want to use, I'll use what I use. Maybe I'll think about switching somewhere down the road, but there's still no concrete reason to do so in my mind.

Ok, so I'm supposed to enable "Download unsigned Active X controls" and
"Initalize and Script Active X controls not marked as safe", in order to get the update?

That just doesn't sound very good. Do you guys have those enabled? Thanks again for the help.

You do realize this isn't a bug in mozilla? This is what you call an oversight.
Call it what you will, it boils down the same thing: Mozilla released the browser with a vulnerability that could compromise your system -- a vulnerability that was within their control as evidenced by the 0.9.2 patch.

You had better hope IE retains its 95% share and Mozilla doesn't gain any more; if that happens, all the virus writers will turn their attention to Mozilla and suddenly you'll see a bunch of new vulnerabilities for your own browser. I imagine it's a lot easier to write a virus for a system when you have that system's source code right in front of you.

I imagine it's a lot easier to write a virus for a system when you have that system's source code right in front of you.

It's alot easier to patch too =)

Oh I see, because Mozilla patched it, it's all ok.

The same day? Yea that's pretty good. Nobody is going to release a flawless 100% secure program, the fact that they backed it up incrediably fast is pretty good I say. Had MS released 4 patches yesterday or today to clean up the newest exploits I wouldn't be so worried about using IE.

I imagine it's a lot easier to write a virus for a system when you have that system's source code right in front of you.

You keep missing the biggest point. Mozilla browsers are not integrated right into your OS. That's the biggest problem of IE, period. As soon as this flaw was discovered, it was fixed. Same day, before word of the flaw got out. And really, you keep ignoring the point.

IT WAS A FLAW WITH WINDOWS EXPLORER. The shell: vulnerability was supposed to have been fixed by Microsoft in SP1. It was not. Mozilla is not to blame here. The only thing that was wrong with the browser was a bad default configuration, which they have since changed. I would much rather have a simple bad config than bad coding, as most of IE's faults have been.

A program which can cause an OS to become unstable is as at fault as anything else. That's like saying an AV program that causes a memory leak isn't at fault because the OS doesn't properly address memory space. If the Mozilla issue wasn't a flaw, they wouldn't have fixed it. As it was, the security bug was in essence the same in Mozilla as in the IE version - both browsers allowed a program to get to the OS to be executed. You can "fix" a lot of things in IE by simply "changing a default configuration" too (Security = High).

Sorry, Mozilla is neither the "savior" nor is open source software the "perfect solution" that everyone thinks either one is.

As soon as this flaw was discovered, it was fixed. Same day, before word of the flaw got out. And really, you keep ignoring the point. IT WAS A FLAW WITH WINDOWS EXPLORER.
Then both are to blame. As an analogy, if you ask me for street directions somewhere, I send you through a bad neighborhood, and you get robbed, it isn't just the robber's fault, it's mine too for giving you lousy directions.

Yes, this vulnerability was patched immediately, because it just required disabling a simple feature. But what other vulnerabilities are out there that have <i>not</i> been discovered simply because Mozilla is much less popular? If all the hackers/proof-of-concept virus writers/security freaks suddenly turned their full attention from IE to Mozilla, how confident are you that it would hold up with no flaws whatsoever?

Open source makes it easier to find bugs, but it also makes it easier to exploit them. How can you be sure, on balance, that the benefit of finding the bugs more easily outweighs the risk of exploiting them more easily?
Mozilla browsers are not integrated right into your OS.
It's still software running with full permissions, with the ability to modify any part of the operating system, install spyware or hacks, and destroy my data.

You do realize this isn't a bug in mozilla? This is what you call an oversight
No... this is what the truly aged call an Undocumented Feature!

Anyway... Lauren if you go into Internet Options -> Security -> Custom Level (Internet) -> , if you change it to Medium you should be ok to go to Windows Update. Just be sure to put it back to High when you are done patching.

Ok, so I'm supposed to enable "Download unsigned Active X controls" and
"Initalize and Script Active X controls not marked as safe", in order to get the update?
Set your "Trusted Sites" to Medium security, and then add *.microsoft.com to the list of trusted sites. Put the "Internet" at High Security. Then you can patch and update while still browsing other sites with relative safety.

Mozilla devs should've known better than to trust MS' word that the shell: vulnerability was fixed. They made a bad decision about the default configuration for the browser. That's it. There wasn't any broken code in the browser or security hole. It was in the config file and the way browsers integrate with the Windows OS. There's a reason that flaw only affected Windows systems. So those of you harping on Mozilla about it, are blowing it way out of proportion.

A program which can cause an OS to become unstable is as at fault as anything else.

You've got the anti-ie people saying, "Windows should of never implemented the shell: command if it was insecure" and you have the anti-mozilla people saying, "Mozilla should of never implemented the shell: command if it was insecure." It's great.

You've got the anti-ie people saying, "Windows should of never implemented the shell: command if it was insecure" and you have the anti-mozilla people saying, "Mozilla should of never implemented the shell: command if it was insecure." It's great.

You're sorta wrong there... the shell: command is a part of Windows Explorer that was supposed to have been secure. Patched in SP1. Microsoft did not fix it however. Mozilla throught it was and did not change how the browser accessed the shell: command. Someone pointed out on some security e-mail listing thing, that the flaw was still there and Mozilla patched it that same day... to whitelist the config file instead of blacklisting it.

I see FireFox is gaining popularity :) Even "official" sources are recommending it now, I think the fabled "Browser War" might reach its second coming.

It'll be interesting to see what happens. For years I've heard people bleating that MS software is only vulnerable because it's popular. Time to put that to the test.

I still think in the long run Mozilla browsers will have a better track record than IE has.

Heh that was a fast reply. For reference, I edited the previous post which was a bit too elitist-sounding. See, I just got a Mac so even if FireFox does get more exploits due to popularity I'm still sat safely behind a less popular machine (even though everyone loves to emulate it) on the Safari browser which seems better still. I don't know what to do - advocate Macs because I love them already, or keep them quiet because I don't want them polluted ;)

Thank you very much Tiane, Guice and Tudamorf for the help. I had already set it to medium security as it told me that anything over that would keep it from updating and I had added the windowsupdate.microsoft.com site to the trusted sites, it still won't allow me to update though. I did look further and they have a work through which involves deleting some files and then doing the update, I guess I'll have to go that route as soon as I have the time to do it.

I do appreciate you guys always being so helpful. When you don't know much about computers it can be unsettling messing about with them :).

I had added the windowsupdate.microsoft.com site to the trusted sites, it still won't allow me to update though.
You need to add *.microsoft.com, because the actual URL of windowsupdate is something like v4.windowsupdate.microsoft.com or v5.windowsupdate.microsoft.com, and can change.

I see FireFox is gaining popularity :) Even "official" sources are recommending it now, I think the fabled "Browser War" might reach its second coming.

It'll be interesting to see what happens. For years I've heard people bleating that MS software is only vulnerable because it's popular. Time to put that to the test.
I don't look at it as a Browser War. I don't care if you use Opera, Fx, Mozilla, or Safari. All I care about is people using browsers that are officinally W3C compliant. I'm using security just as another reason not to use IE.

I'm a web developer. I dispise IE for it's faulse sense of HTML compatability. Too many newbie users run IE and think that's how a webpage should look and too many corperations too lazy to hire real, good web developers; all not realizing that they are at fault in creating a faulty website. A web page is not suppose to display if you're missing a &lt;/head> tag, just like a program is not suppose to run if you're missing a semicollen (; ).

A program which can cause an OS to become unstable is as at fault as anything else.
It's the responsibility of the operating system to make sure that a program can only perform operations that it has permission to do. The operating system itself should never be disrupted by a program that is run with standard user privileges. Windows has done a remarkably poor job of this in the past, although it has improved somewhat. (And no other practical operating system that I know of is perfect in this respect either.)

If it's possible for a program without special privileges to make an OS unstable, it's the OS's fault; the OS controls the program, not the other way around.

It's not really just the OS's fault... there are things that are just beyond it's control. Hence the need for support at the hardware level for a lot of these stability and security related restrictions. I.e. you didnt get real multitasking on an x86 until the 386, and the anti-overflow-exploit NOX type stuff built into the Prescott's (I think, might be Itanium or whatever's after that) and the new AMD (Athlon 64's?) cpu's which XP SP2 will make use of.

The PC is a fragile construction of ill fitting parts! Lots of cracks and holes for things to slip through by its very nature.

I don't look at it as a Browser War. I don't care if you use Opera, Fx, Mozilla, or Safari. All I care about is people using browsers that are officinally W3C compliant. I'm using security just as another reason not to use IE.

Aye, don't get me wrong... that's exactly what I believe in, too. What I'm wondering is if we'll see a modern-day repetition of the IE/Netscape thing back in the mid-90s. Back then each "side" introduced new features quite rapidly and it was a great growth period in web browsing because they were in competition. Except in the end, IE turned out a better product and was built into the OS too so it won.

Only this time, FireFox will get a decent market share (I think it's probably still only 5% or something like that), Microsoft will realise IE is under threat, suddenly decide it looks cool to make IE standards compliant, a zillion times more secure and bulletproof, get more of their share back etc etc. Just like if Linux gains significant ground on the desktop they might take a bite out of Apple's book and build a new Windows on top of FreeBSD.

Mozilla is offering a $500 bounty for each security flaw found in the software: http://news.com.com/Mozilla+puts+bounty+on+bugs/2100-1002_3-5293659.html?tag=nefd.top

Yeha, Mozilla had a couple security flaws recently. One of them is easilly fixed by not allowing Java to resize or remove your status bar.