DANGER!!!! IE flaw worse than originally thought.

[Joeylc]

IE flaw worse than originally thought

By Iain Thomson
15 December 2008 07:06AM
Security

Microsoft has confirmed that it is not just Internet Explorer (IE) 7 that is vulnerable to a new zero day attack, but older versions of the browser too.

IE 5 and 6 have been confirmed as also vulnerable to the flaw which, when properly exploited, can allow a hacker to gain complete control of a vulnerable system.

“At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7,� said the company in an advisory.

“Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.�

The flaw targets a component in IE7 that handles XML tags. When the page confirms that the user is running a vulnerable browser and operating system, a specially crafted tag is loaded.

“Any security vendor basing their detection rules on the publicly available exploits is not detecting attacks fully,� said Carsten Eiram, chief security specialist at Secunia.

“Users should therefore not just browse around using their IE browser, thinking that they're safe.


Setting the security level to "High" for the "Internet" security zone will somewhat protect you and combined with Microsoft's suggestions related to OLEDB32.DLL you should be able to keep your system to yourself.�



http://en-us.www.mozilla.com/en-US/

[Joeylc]

A security researcher in Israel has found a way to steal information from unwitting users of Google's desktop search tool by exploiting an unpatched flaw in
Microsoft's ubiquitous Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday. CSS, or Cascading Style Sheets, is a method for setting common styles across multiple Web pages. The Web design technique is widely used on many sites across the Internet.

The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.

"This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user's behalf on remote domains," Gillon wrote in his description of the attack method. He crafted a Web page that--when viewed in IE on a computer with Google Desktop installed--uses the search tool and returns results for the query "password."

To exploit the flaw, an attacker has to lure a victim to a malicious Web page. "Thousands of Web sites can be exploited, and there isn't a simple solution against this attack, at least until IE is fixed," Gillon wrote.

Microsoft is investigating the issue, which it described in a statement as a problem affecting the cross-domain protections in Internet Explorer. "This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration," Microsoft said in the statement.

Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.

Google is also investigating Gillon's findings. "We just learned of this issue and are looking into it," Sonya Boralv, a spokeswoman for the search giant, wrote in an e-mailed statement.

While Gillon in his example uses the IE flaw as a means to get to Google Desktop, this flaw and other software bugs could be used to covertly access virtually any application on a compromised computer.

"It is like any other flaw within IE, but he got creative and used it to launch Google Desktop to retrieve data," security researcher Tom Ferris said. "You can bet we will see this one being used to steal users' Quicken data, database files, etc."

Steve Manzuik, a security product manager at eEye Digital Security, agreed. "This definitely looks like a flaw in IE and not a Google bug. He is using Google Desktop as to retrieve data, but it is IE that makes it possible," he said.

While IE is vulnerable, Gillon found that Firefox and Opera are not. For protection, Internet users could use one of those browsers or disable JavaScript in IE, Gillon suggested.

It has been a busy week on the Microsoft security front. Four examples of attack code were released for flaws in the Windows operating system, and a Trojan horse is finding its way onto PCs through another yet-unpatched flaw in IE.

[Joeylc]

IE users advised to switch over flaw
By Todd Bishop on December 16, 2008 at 9:10 PST

Microsoft is offering an elaborate set of workarounds to help Internet Explorer users avoid attacks on an unpatched flaw that surfaced last week. Security researchers and bloggers are offering a different solution: Stop using IE altogether, at least temporarily.

"Switch to another browser, preferably Firefox. This is by far the best option," writes Richard Wray of the Guardian in a post today.

For all of the efforts Microsoft has made to tighten the security of its software, the situation demonstrates the continued potential for vulnerabilities to affect market share. Internet Explorer's problems with spyware helped Firefox gain traction several years ago.

The latest flaw lets hackers attack computers that visit compromised Web sites. It's especially concerning because it's a "zero-day" vulnerability, already being exploited before a fix is available. Microsoft says it's investigating the situation and will take "appropriate action," which could include issuing a patch out of its normal monthly cycle.

"I would advise Windows users to consider browsing the Web with anything other than Internet Explorer, at least until Microsoft issues a patch to fix this vulnerability," wrote Washington Post security blogger Brian Krebs in a post after the flaw came to light last week. "It is not my intention to over-hype the situation, but as we have seen time and again, attackers are usually very quick to take advantage of flaws in IE because the program is the default browser for close to 80 percent of the planet."

Microsoft, meanwhile, seems to be grappling with precisely how to characterize the severity of the situation.

In a post Saturday on the Microsoft Malware Protection Center blog, Ziv Mador and Tareq Saade initially wrote that they saw "a huge increase in the number of reports today compared to yesterday." That language has since been changed to say that they saw "an increase of over 50% in the number of reports today compared to yesterday."

Watch this Microsoft site for ongoing details and updates on the flaw. http://www.microsoft.com/technet/security/advisory/961051.mspx

[Joeylc]

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 15, 2008

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

This update to the advisory contains information about a new workaround and a recommendation on the most effective workarounds.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Current trending indicates that there may be attempts to utilize SQL Injection attacks against Web sites to load attack code on those Web sites. If you’re a Web site operation, please review Microsoft Security Advisory (954462), which provides information on tools you can use to analyze your Web site’s code to help protect against SQL Injection attacks.

We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:
•   

Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
•   

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
•   

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•   

Currently known attacks cannot exploit this issue automatically through e-mail.


UPDSAMicrosoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 15, 2008

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

This update to the advisory contains information about a new workaround and a recommendation on the most effective workarounds.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Current trending indicates that there may be attempts to utilize SQL Injection attacks against Web sites to load attack code on those Web sites. If you’re a Web site operation, please review Microsoft Security Advisory (954462), which provides information on tools you can use to analyze your Web site’s code to help protect against SQL Injection attacks.

We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:
•   

Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
•   

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
•   

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•   

Currently known attacks cannot exploit this issue automatically through e-mail.


UPDATE !!!!!!


•   

December 10, 2008: Advisory published
•   

December 11, 2008: Revised to include Microsoft Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 as potentially vulnerable software. Also added more workarounds.
•   

December 12, 2008: Revised to correct operating systems that support Windows Internet Explorer 8 Beta 2. Also added more workarounds and a reference to Microsoft Security Advisory (954462).
•   

December 13, 2008: Revised to add the workaround, Disable XML Island functionality. Also, in a FAQ entry, clarified the list of recommended workarounds and added the blog post URL for recommended workarounds.
•   

December 15, 2008: Updated the workarounds, Disable XML Island functionality and Disable Row Position functionality of OLEDB32.dll.




WIN BLOWS CLOSING STAMENS  WHAT A JOKE 

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 

[Joeylc]

Internet Explorer VML Exploit Revealed
<a href="http://www.youtube.com/v/hOBGzZwgdks&rel=0" target="_blank">http://www.youtube.com/v/hOBGzZwgdks&rel=0</a>

[Brianzz]

yet another great reason to use firefox

http://www.mozilla.com/en-US/firefox/

[Joeylc]

IF YOU ARE A IE USER DO NOT DOWNLOAD FROM THE SUBMIT A NEW FILE LINK ..... FOR NOW  

WE ARE GETTING A LOT OF BS UPLOADS WITH THIS CODE IN THEM  

THE MAIN FORUM SOFTWARE  REMOVES THE CODE-FILES BUT THE SUBMIT A NEW FILE SOFTWARE DOES NOT

IF YOU ARE USING FIREFOX -- FIREFOX WILL WARN YOU ABOUT A BAD FILE AS IT WILL NOT LET YOU DOWNLOAD IT

WE ARE TRYING TO KEEP UP AND REMOVE THE BS FILES AS THEY COME IN..  

ALL FILES IN THE SUBMIT A NEW FILE LINK AS OF 12-16-08 ARE OK TO DOWNLOAD 


THANKS JOEYLC  

[Joeylc]

IE flaw interview with Jeremy Howard on ABC Breakfast News

<a href="http://www.youtube.com/v/87Bli9E6NGo&rel=0" target="_blank">http://www.youtube.com/v/87Bli9E6NGo&rel=0</a>

[Joeylc]

UPDATE December 16, 2008
Internet Explorer users warned to change browser over security fears.


Microsoft admitted today that a serious flaw in security has left the majority of the world’s internet users exposed to attacks from hackers hoping to steal personal data and passwords.

A loophole in Internet Explorer (IE), the default web browser on most computers, allows criminals to commandeer victims’ PCs by tricking them into visiting unsafe websites.

It is thought that two million computers have already been affected as Microsoft conceded that 1 in 500 internet users may have been exposed.

Computer users are advised by some security experts to switch to an alternative internet browser, such as Firefox or Google Chrome, to avoid the hackers who have so far corrupted an estimated 10,000 websites.

[Joeylc]

Internet Explorer is Unsafe ... Still
Browser bug has yet to be fixed, and is spreading rapidly, reports say.
Brennon Slattery

— December 16, 2008 7:00 pm

A malignant security flaw found in all versions of Microsoft's Internet Explorer browser has yet to be fixed, and the problem is spreading. Microsoft detailed the flaw in a security update blog post six days ago. Since then, the problem has spread across the globe, hitting at least 2 million computers.

Unlike other computer exploits, this one does not require users to click on fishy links or download mysterious software: it plagues computers that simply open an infected Web page.

Internet Explorer is currently used by 69 percent of Web surfers. The flaw hides inside the data binding function of the browser and causes IE to quit unexpectedly and reopen vulnerable to prying eyes.

So far most of the attacks have been geographically centered on China and have been used for the purposes of stealing computer game passwords. But with a flaw as gap-toothed as this, the possibilities of nefarious action could include the massive theft of personal information such as administrative computer passwords and financial data.

Even though there is currently no patch for this problem, Microsoft has offered a variety of workarounds. Most involve disabling or crippling the "oledb32.dll" file. Other methods include setting Internet and local intranet security zones to "high" and configuring Internet Explorer to prompt before running Active Scripting or to disabling Active Scripting.

Though it's always wise to keep your antivirus software updated, it may not protect you in this case, as most antivirus software does not monitor Internet traffic. The easiest way to keep your computer safe is to stop using Internet Explorer. And while other browsers aren't entirely devoid of bugs, they are a better alternative in this case.

Copyright (c) 2008 PC World Communications, Inc.

Copyright © 2008 ABC News Internet Ventures

[Brianzz]

After I read the first posts of these this evening I had a windows update pop up that supposedly fixed a security flaw in my XML. hmmmm.. Doesn't bother me much since I haven't used IE in a good while anyway.

[Joeylc]

After I read the first posts of these this evening I had a windows update pop up that supposedly fixed a security flaw in my XML. hmmmm.. Doesn't bother me much since I haven't used IE in a good while anyway.

this sums it up

<a href="http://www.youtube.com/v/V7WpffIsPV4&rel=0" target="_blank">http://www.youtube.com/v/V7WpffIsPV4&rel=0</a>

[Joeylc]

5 emails so far so here is a how 2 Downloading and Installing Firefox
<a href="http://www.youtube.com/v/3SGq0K2Vssk&rel=0" target="_blank">http://www.youtube.com/v/3SGq0K2Vssk&rel=0</a>

[Joeylc]

Hackers exploit IE bug with 'insidious' Word docs
ActiveX control in Word file downloads malware to unpatched PCs, says McAfee
Gregg Keizer
 


December 18, 2008 (Computerworld) Attackers are exploiting the just-patched vulnerability in Internet Explorer (IE) by hiding malicious ActiveX controls in Microsoft Word documents, a security company said today.

"Inside the document is an ActiveX control, and in that control is a line that makes it call out to the site that's hosting the malware," said David Marcus, director of security research and communications for McAfee Inc.'s Avert Labs. "This is a pretty insidious way to attack people, because it's invisible to the eye, the communication with the site."

Embedding malicious ActiveX controls in Word documents isn't new -- Marcus said he had seen it "a time or two" -- but using an ActiveX control to ping a hacker's server for attack code is "definitely an innovation," he added. "They're stepping it up."

The rogue documents can be delivered as attachments to spam e-mail or offered up by hacked sites.

Attackers have been exploiting the IE bug since at least Dec. 9, when reports first surfaced about malicious code found in the wild and on several Chinese hacker servers. McAfee was one of the first security companies to report the emerging exploit.

Since then, Microsoft Corp. acknowledged the bug, then offered up a series of advisories urging users to take protective steps until a fix was available.

Yesterday, the company released the patch.

Although other researchers continue to claim that thousands of legitimate Web sites have been compromised, then used to serve "drive-by" attacks against unpatched browsers, Marcus wasn't certain about the numbers he's seen bandied about.

"But absolutely, there's been a lot of activity around this," he said. "A lot of the bad guys have embedded IFrames in their sites to attack IE."

According to other reports, the IE exploit has been added to one or more multistrike hacker tool kits that try several different exploits when users visit a compromised or malicious site.

"If it's not in one of those yet, it probably will be," said Marcus. "Some of the exploits in those kits are years old, so a good one like this, unpatched until yesterday, will make its way into them."

Marcus recommended that users be cautious about opening Word documents, keep their security software up to date, and apply the IE patch as soon as possible.

[Joeylc]

Troubleshooting Internet Explorer
by Bill Shein

    "It's hard to determine exactly what causes Internet Explorer to stop responding, but it's usually due to one of the following reasons." — From Microsoft's Windows Error Reporting Web site

Reason One - Did you know that tiny gnomes run the machinery inside your computer? If Internet Explorer has stopped responding, it means the gnomes are on break, sidled up to the bar at the Heat Sink Café, lifting their tiny mugs of gnome ale and singing their cheery gnome songs. They'll return to work shortly. In the meantime, re-start Internet Explorer.

Reason Two - Even non-sentient computer software has limited tolerance for celebrity news sites, page after page of "stuff-on-my-cat" photos, YouTube videos of people being hit in the privates, and hours of scrolling through the world's most mundane blogs. If this describes your online activities, and Internet Explorer has stopped responding, the software is lodging a silent protest against your Web browsing habits. This is a helpful feature of Internet Explorer. You're welcome.

Reason Three - Remember the cup of coffee you spilled on your laptop last month? And how after it dried, your computer worked just fine? And that your IT guy said, "Wow. I've never seen anything like it. It's a miracle." So much of a miracle, in fact, that religious pilgrims flocked to your cubicle, weeping uncontrollably, asking you to touch their foreheads to heal their souls and touch their laptops to make Internet Explorer start responding? Well, the miracle is over. Time for a new laptop with Windows Vista (Service Pack 42). Hope you're not stuck with boxes of unsold "I Touched the Miracle Laptop" T-Shirts.

Reason Four - When Internet Explorer stops responding, for no apparent reason, while you are doing something important — like completing the eighth screen of an eight-screen-long mortgage application — Microsoft Corporation is just reminding you that it is all-knowing, all-powerful, and can crush you at any time. How do you like them apples? (Stop laughing so hard at those "I'm a Mac" ads; we're watching you.)

Reason Five - It hasn't stopped responding. It's just moving very, very slowly. Be patient. Life doesn't have to move so fast all the time, Speed Racer. Why not slow down and enjoy yourself? Get outside. Take a walk. Breathe. Get reacquainted with your spouse and children. No one on their death bed ever said, "I wish I had spent more time using Internet Explorer to watch puppies on a webcam."

Reason Six - It's moody. Hey, who isn't? Have you tried filling the computer's CD tray with antidepressants? (We resolved this moodiness in Internet Explorer 8, now in beta.) If that doesn't work, re-install Windows.

Reason Seven - It's supposed to stop responding, silly. Duh! It's all about expectations. If you don't expect Internet Explorer to work, and then it doesn't work, all will seem right with the world, yes? Take it from the Buddhists: Human suffering results from our irrational attachment to things that aren't even real, in this case to the idea that Internet Explorer should not simply "stop responding." Meditate quietly on this, and then re-start your computer.

Reason Eight - Did you run the diagnostic software included with your Windows installation CD? Did you remember to surround your computer with chicken bones and smear ox blood across the monitor? Ah ha! That's the problem. Be sure to smear the ox blood across your monitor before surrounding your computer with chicken bones. If this fails, collapse into the fetal position and remain there for several hours.

Reason Nine - Remember the tiny gnomes we met back in Reason One? The ones who were raising their even tinier mugs of ale at the Heat Sink Café? Well, they raised a few too many. Turn off your computer and try again tomorrow.

- - - - - - - - - - - - - - - - - - - - 

[rickhunter]

Micro$oft has released a patch to fix this vulnerability.  You can download the specific KB960714, do windows update, or let your system eventually update itself.