For all you Microsoft Windows button-monkeys, enjoy the 0Day + POC remote code execution/full gamut; if you're surfing "teh internets" with IE you deserve to be owned.


http://www.frsirt.com/english/advisories/2005/2509

Thanks Linux elitist, we appreciate the warning!

Gotta love the elitist/h4XX0r way of thinking - if you leave yourself open, you deserve to get attacked. Do you apply that same line of logic to rape victims I wonder?

Thanks Linux elitist, we appreciate the warning!

Gotta love the elitist/h4XX0r way of thinking - if you leave yourself open, you deserve to get attacked. Do you apply that same line of logic to rape victims I wonder?

Of course.

And if you aren't bullet-proof... you deserve to be shot for being such an idiot and not deflecting bullets with your hands... freaking idiot.

yawn, I use firefox.

http://isc.sans.org (SANS) has escalated the Infocon to condition yellow. POC has already evolved to include a listening shell, we'll probably see a connect-back shell before too much longer.

I work for a fortune 500 company, the scope of this impact is significantly more far-reaching than a desktop computer, and there is nothing more fun than being put into reactionary-mode over the holiday week.

The current condition of the IE security model is pathetic at best, even die-hard Microsoft Certified Spoonfed Drones (MCSD's) agree. If anything Microsoft should be blamed for empowering those who have little or no desire to learn basic security practices. These are the same people who are opening embedded executables into zip files. If Honda developed a car whos key/security system could be easily bypassed with something as simplistic as a screw-driver wouldn't you be angry? Doesn't the same situation apply? Hasn't Microsoft in the past, and currently through the implementation of ActiveX, IE specific DHTML, and user-agent detection code to force IE created a monopolistic situation forcing you to use a known insecure browser?

No, I view rape as serious crime and believe people who commit it should be executed. This is nothing like rape, nor like deflection of bullets with hands (that analogy is as stupid as the fool who posted it). A better analogy would be giving someone a nice new car, capable of great speed, and providing them with zero training, a gratitous message saying 'Wear your seatbelt (what's a seat-belt?), and be careful' only to have them drive head-on into oncoming traffic destroying other cars in the process.

Sadly enough I'm paid to support, manage, develop, and secure Win32 applications and environments. I'm not in a race to patch my Linux machines (amazing), nor am I having to:

* Constantly combat spyware
* Prepare for the next Sober variant
* Play the Microsoft piss-poor WGA game
* Block out every second Tuesday in the month to play the patch game.
* Participate in an obfuscated licensing scheme
* Deal with gross insecurities and bugs
* Constantly hear propoganda on how Windows "plays better", "beats Linux", or "Outperforms Linux" (via studies endorsed by Microsoft).
* Be strong-armed into upgrading as a result of an "End-of-life" policy.
* Being told I am a communist for support the Open Source Movement.
* Being led to believe that a handful of mediocre programmers collecting a paycheck are better than an entire community united under a single goal.

Being qualified, certified MCSE/MCSD (worthless), and knowledgable on both Operating Systems I believe allows me to create a true, qualified opinion. Can you same the same for yourself? (Sadly, I am not 'touting my e-penis, however, I'm sure I'll be called out for making such statements)

Would I be considered a Microsoft elitist if I posted insecurity issues in libxml, php-rpc, or openssl issues for Linux? :rolleyes:

Regardless of what you think, please at least take the steps to mitigate the vulnerability so I don't have to filter/sift through the spam your machine will spew across to MTAs.

Being qualified, certified (worthless), and knowledgable on both Operating Systems I believe allows me to create a true, qualified opinion. Can you same the same for yourself?

I am an ex-IT worker, and I used to do the same job that you do now. We ran linux servers, windows servers, and windows workstations. My opinion is that Windows is a better OS than Linux. I have my reasons. I found that as long as you can keep the desktop computers patched (which is very easy to do remotly with windows server 2003) security isn't a problem.

Maybe you could tone down the attitude a bit, though I'm sure that will prove extraordinarily difficult for someone of your supreme holy prowess

I am an ex-IT worker, and I used to do the same job that you do now. We ran linux servers, windows servers, and windows workstations. My opinion is that Windows is a better OS than Linux. I have my reasons. I found that as long as you can keep the desktop computers patched (which is very easy to do remotly with windows server 2003) security isn't a problem.

Fair enough, but let me ask how do you apply a security patch for an exploit where POC currently exists, wide-scale exploitation is immenient, a patch is not available, and Microsoft has not officially acknowledged the exploit? ;)

I fully anticipate saturnotaku to have a chip on his shoulder for anything I post contrary to his devine opinion because when I was a new member here he rather forcefully called out a user only to himself be owned (and I enjoyed receiving several threats from his fanbois indicating that I would soon be banned); at which time I was labeled as a Linux zealot. :rolleyes:

http://www.nvnews.net/vbulletin/showpost.php?p=676402&postcount=12

Fair enough, but let me ask how do you apply a security patch for an exploit where POC currently exists, wide-scale exploitation is immenient, a patch is not available, and Microsoft has not officially acknowledged the exploit? ;)

In every security situation I have ever encountered (it may be different today, as I got out of IT about a year ago), microsoft has a patch out months before the exploit finally hits the network. Then it is simple - just use Windows 2003 server to push a patch to every computer in the network and problem solved.

If a patch *isn't* available (never happened), I would most likely see if a certain firewall configuration would fix the problem. A lot of times, if you just filter your incomming internet connections, you can prevent most attacks that way.

In every security situation I have ever encountered (it may be different today, as I got out of IT about a year ago), microsoft has a patch out months before the exploit finally hits the network. Then it is simple - just use Windows 2003 server to push a patch to every computer in the network and problem solved.

If a patch *isn't* available (never happened), I would most likely see if a certain firewall configuration would fix the problem. A lot of times, if you just filter your incomming internet connections, you can prevent most attacks that way.

In this case, the only way to mitigate the issue is to disable Active Scripting (JavaScript, VBScript). What do you mean "Get 2003 to push the patch", are you talking about SMS, SUS, WUS? It isn't as simple as you state and since this exploit is 0Day, Microsoft has not had the chance to sit on the patch like they normally do until Black Tuesday rolls around. While I agree that Windows 2003 is a significant improvement over the previous products I don't believe it's the patching panacea you tout it to be :)

Firewalling is great, but in this case, if you're only doing ingress filtering and not egress filtering you're going to get owned via the connect-back shell. Assuming you're doing both ingress/egress filtering then what about the POC variants that do no want to own boxes but instead proliferate malware, install spyware, or become a participant in the ever-increasing IRC botnets to be used for spam/DDoS attacks.

I don't know where you are getting your "never happened" with respect to patch availability but there have been several instances where irresponsible disclosure resulted in exploitation before a patch was available. Unless you're behind in the current security scene and get your information from ZDNet, ABC News, or Slashdot you'll find more often than not POC or public knowledge of the exploit preceeds the patch.

Evilghost, its not being right or wrong about anything. It's nothing with Saturn, either. It just seems like every post you make is filled with anger. You seem to always be talking about something...unpleasent. Killing, executing...I don't know, man. It just seems harsh a lot of times. I'm not sure if you mean it that way or not, but I just thought I'd let you know!

On topic, kinda...

Linux will be less secure in time. As its popularity grows, so will those trying to rip it apart piece by piece. There were already some talk about x y and z exploits in Linux last week.

Windows is secure enough if you just use Deep Freeze and have limited user accounts! That's not asking for much, is it!? :D

IE is a piece of crap...but you don't HAVE to use it. You don't have to use explorer at all. Use another shell (enjoy the compatibility issues). We all know that 95% of computer problems aren't even because of issues from Redmond- that 95% is found between the keyboard and the chair.

I forget what the technology is called, but there is a thing in Windows Server 2003 that allows you to send and install a patch to any machine that logs into the domain. You can also create a script that disables active scripting and send and run that on any machine that logs into the domain.

First of all, what the hell is this doing in Open Forum? :wtf:

Secondly. It's wonderful that you like LinSUX so much, but there are *gasp* more than one users of that OTHER OS called Windows - in one or more of it's forms - who have NEVER had a problem with exploits because we keep the OS up to date.

I love how if you have an IT related degree, it automatically makes you right. :rolleyes:

Evilghost, its not being right or wrong about anything. It's nothing with Saturn, either. It just seems like every post you make is filled with anger. You seem to always be talking about something...unpleasent. Killing, executing...I don't know, man. It just seems harsh a lot of times. I'm not sure if you mean it that way or not, but I just thought I'd let you know!

On topic, kinda...

Linux will be less secure in time. As its popularity grows, so will those trying to rip it apart piece by piece. There were already some talk about x y and z exploits in Linux last week.

Windows is secure enough if you just use Deep Freeze and have limited user accounts! That's not asking for much, is it!? :D

IE is a piece of crap...but you don't HAVE to use it. You don't have to use explorer at all. Use another shell (enjoy the compatibility issues). We all know that 95% of computer problems aren't even because of issues from Redmond- that 95% is found between the keyboard and the chair.

Yeah, you're right, when I make the posts I'm not really angry or wound that tight, I guess it's about word-choice and sentence construct. I jokingly use words like execute, kill, mame, etc but don't mean them literally. I do so with a smile; except for that thread about the elite coffee shops banning children and the response from that one guy; that did piss me off but I'm not the powder-keg of angst and hate some of my posts may indicate, nor am I going to go around punching people in the face because their opinion differs from mine.

I do like to get a rise out of people at times, for amusement. Perhaps I subconsciously manifest that in my posts? ;)

First of all, what the hell is this doing in Open Forum? :wtf:

Secondly. It's wonderful that you like LinSUX so much, but there are *gasp* more than one users of that OTHER OS called Windows - in one or more of it's forms - who have NEVER had a problem with exploits because we keep the OS up to date.

I love how if you have an IT related degree, it automatically makes you right. :rolleyes:

You're right, go hit Windows Update and apply the patch; oh that's right, it's not there. :rolleyes:

I don't have an IT Degree (didn't realize those exist?), in actuality I never completed my EE(CEO) degree in college, I'm sans-degree. :)

In this case, the only way to mitigate the issue is to disable Active Scripting (JavaScript, VBScript). What do you mean "Get 2003 to push the patch", are you talking about SMS, SUS, WUS? It isn't as simple as you state and since this exploit is 0Day, Microsoft has not had the chance to sit on the patch like they normally do until Black Tuesday rolls around. While I agree that Windows 2003 is a significant improvement over the previous products I don't believe it's the patching panacea you tout it to be :)

Firewalling is great, but in this case, if you're only doing ingress filtering and not egress filtering you're going to get owned via the connect-back shell. Assuming you're doing both ingress/egress filtering then what about the POC variants that do no want to own boxes but instead proliferate malware, install spyware, or become a participant in the ever-increasing IRC botnets to be used for spam/DDoS attacks.

I don't know where you are getting your "never happened" with respect to patch availability but there have been several instances where irresponsible disclosure resulted in exploitation before a patch was available. Unless you're behind in the current security scene and get your information from ZDNet, ABC News, or Slashdot you'll find more often than not POC or public knowledge of the exploit preceeds the patch.


You are making the problem WAY more complicated than it really is. Most likely, that exploit is never going to touch your network. From the problem description, the only time the exploit happens is when a user actually visits a website with the exploit code in the HTML. So they are only going to get it if they visit websites they shouldn't be visiting. Just send out an email to everyone in the company telling them not to surf the internet (something they shouldn't be doing anyway) until a patch is out.

You're right, go hit Windows Update and apply the patch; oh that's right, it's not there. :rolleyes:

I don't have an IT Degree (didn't realize those exist?), in actuality I never completed my EE(CEO) degree in college, I'm sans-degree. :)IT RELATED degree. Don't be anal, you know what I meant. :p

Either way, if roles were reversed and Linux was as widely used as Windows is now, I think it would be under constant attack by hackers and I think we would be slagging Linux and saying how great Windows is because it's holes rarely get exploited. ;)

Possibly, but there are huge differences in the security model as well as the issues with the Windows Messaging Subsystem. hWND manipulation is pretty serious. :)

Anyway, I think I beat my point to death so now I'm done. ;)

Off Topic:
-=Gib-McFragger=-, you need to go register over at http://www.glocktalk.com it's a huge firearm forum with tons of slick subforums.

For all you Microsoft Windows button-monkeys, enjoy the 0Day + POC remote code execution/full gamut; if you're surfing "teh internets" with IE you deserve to be owned.


http://www.frsirt.com/english/advisories/2005/2509

:wtf:
IT RELATED degree. Don't be anal, you know what I meant. :p

Either way, if roles were reversed and Linux was as widely used as Windows is now, I think it would be under constant attack by hackers and I think we would be slagging Linux and saying how great Windows is because it's holes rarely get exploited. ;)
QFT, dont get me wrong, ive used slackware, and loved it. i plan on going back sometime soon, or at least dual booting.

This exploit just looks like another buffer overflow. Why isn't Microsoft checking for stuff like this now? Oh yeah, they are too busy on products like "Microsoft AntiSpyware", creating the <i>illusion</i> of security is more cost effective than all the effort it takes to go through all their code and look for missing bounds checking.

$20 says IE7 is affected as well.

Isn't IE7 written in managed code?

Off Topic:
-=Gib-McFragger=-, you need to go register over at http://www.glocktalk.com it's a huge firearm forum with tons of slick subforums."MasterofPuppets"
Been there, done that. ;)

Microsoft has offically acknowledged the problem, no patch yet.

http://www.microsoft.com/technet/security/advisory/911302.mspx

Fair enough, but let me ask how do you apply a security patch for an exploit where POC currently exists, wide-scale exploitation is immenient, a patch is not available, and Microsoft has not officially acknowledged the exploit? ;)
The people who don't keep their systems patched and don't understand about security settings wouldn't be any better off using Linux or Firefox, which has had its own vulnerabilities. They'd just be morons using Linux or Firefox instead, if they could actually manage to get Linux running and properly configured. But blaming MS for enabling those people seems kind of moronic itself. Some people can't drive worth a crap either. Should we blame Ford, GM, or Honda for making cars too easy to drive? Should we blame gun manufacturers because they make guns too easy to shoot? I mean, geez, all people have to do is pull a little trigger and they can be murderers. Obviously gun manufacturers are enabling them.

Target the blame where it belongs. The responsibility rests solely on the shoulder of the users, not the company making the product.