Nasty new IE bug exposes your files
Penn...@derrymaine.gov
This has been going on for a long time.
http://tinyurl.com/ych4xy6
I had to catch up with this group, so deleted all post since
12/12/09 - just to say Ha Ha Ha to the people still using I.E..
Maybe you'll take a hint now.
I've run I.E. so little, it actually worries me when it pops up.
I'll copy the link, and close I.E..
While the above link is short on info, read the comments and the links
From the first link:
"The vulnerability exists due to content being forced to render
incorrectly from local files in such a way that information can be
exposed to malicious websites."
In other words microsoft was in such a hurry to provide a browser to
compete with Netscape that they took short cuts and didn't follow
agreed upon protocols.
This is well known, and the basis of almost
all of I.E's problem (ignoring ActiveX).
It's been bitting I.E. users every since, the link also claims it's
worse on XP.
I don't know if this subject has been mentioned, as everybody
is just so sick and tired of I.E. exploits they are tired of reading
of them - I figured It was a good chance it hadn't.
microsoft's reply:
http://www.microsoft.com/technet/security/advisory/980088.mspx
Which mainly addresses Windows Vista, Windows Server 2008, and
Windows 7, ignoring Win2000 and XP.
The microsoft's reply does recommend using another browser:
"Suggested Actions
�
Protect Your PC"
--
http://tinyurl.com/ykop8v5 or
http://sixrevisions.com/resources/15-biggest-internet-controversies-of-the-past-decade/
richard
> This has been going on for a long time.
> http://tinyurl.com/ych4xy6
>
> I had to catch up with this group, so deleted all post since
> 12/12/09 - just to say Ha Ha Ha to the people still using I.E..
>
> Maybe you'll take a hint now.
>
Ya know, this kind of scare has been around for over 10 years.
Every couple of years someone brings this up this damn thing.
Makes no difference which version of IE it is. 3 through 8, same thing.
When firefox came out, I tried it, liked it and immediately ditched IE. I
only use IE to check various web pages I create. Rarely online.
I've always run firewalls. Specially after I got hit good once.
I now currently run, and highly recommend comodo. Comodo will show you what
connections you currently have, their IP, and even to what port they're
going. You can find out online who might be using that IP and figure out
why they're connected to you.
Pay attention to your machine. When you suddenly hear it working hard, the
busy light comes on, and you're online? Kill the connection and see what
happens. If it happens again while you're online and not doing anything,
you damn well better find out why the machine is active. You just might
have a virus. And who is to blame for that? You are.
richard
> I used to keep IE around just for updates when I was still using XP.
> With Win-7, you now have the option to totally uninstall it. Windows
> updates can now be done from a control panel utility without the aid of
> IE at all.
Oh so now they finally give you that choice once again?
Since like about IE 4 or 5 M$ claimed you couldn't do it because IE was an
integral part of the OS. While in fact, it could be done and those that did
it, found the machine ran better.
So ok like they give it to you. You don't have to use it.
Like when instant messenger insisted on being active when I didn't want it.
So I just renamed the folder and no more IM.
Aardvark
> On Fri, 5 Feb 2010 01:09:49 -0700, richard <mem...@newsguy.com> wrote:
>
>>So ok like they give it to you. You don't have to use it. Like when
>>instant messenger insisted on being active when I didn't want it. So I
>>just renamed the folder and no more IM.
>
> Sure. Makes more sense than disabling it from startup in the registry.
Or even as much sense as going into 'Options' and un-ticking the box that
says 'Start Messenger when Windows starts'.
--
Algy met a bear
The bear was bulgy
The bulge was Algy
VanguardLH
All it takes for FF to be made vulnerable is a malware infected add-on
(extension) to show up in their catalog. Apparently you haven't bothered
looking at the Bugzilla database for FF, either.
When using TinyURL redirects, include the "preview" hostname so users can
see to where you want to lead them BEFORE they visit the target site, as in:
http://preview.tinyurl.com/ych4xy6
Another article on the vulnerability is at:
The advisory article to which you linked is made better available to users
by visiting http://support.microsoft.com/kb/980088 which includes a FixIt
.msi program to make the registry changes (rather than having to do manual
registry edits in the article you mentioned). It enables/disables the
Network Protocol Lockdown policy under Windows XP (this vulnerability is
void on Vista if UAC is enabled so Protected Mode is available in IE8).
These are registry changes. Those affect behavior of a process, not add to
it, so this lockdown has been available for quite some time and yet
Microsoft has not revealed it until now. It addresses the file: and shell:
protocols which should not be set Enabled by default in the Internet
security zone. Disabling them would probably too nuisancesome but the
Prompt settings is most appropriate since few sites should use these
protocols (Enable should be reserved for these protocols in the My Computer
security zone).
The Network Protocol Lockdown policy was available long before this
vulnerability got "announced" sometime later (with usable code exhibited at
a conference). Go into the group policy editor (gpedit.msc) under the
"Computer Configuration -> Administrative Templates -> Windows Components ->
Internet Explorer -> Security Features -> Network Protocol Lockdown. This
lets you specify which protocols, like file:, shell:, hcp:, etc, you want to
lockdown (and require a prompt to allow). Alas, it doesn't let you select
from the protocols and instead you have to specify them, plus many users
never visit the security policies on their hosts. Even on a clean install
of Windows XP Pro + SP-3 but with IE7, this policy existed. It appears to
have shown up in Windows XP SP-2 (August 2004) and Windows Server 2003 SP-1
(August 2005). It wasn't until now that it suddenly got a lot of attention.
There was some mention of it at http://preview.tinyurl.com/mr5mk2 back in
June 2009. It apparently was an attempt to put into Windows XP some of the
protection afforded by UAC and IE8's Protected Mode under Vista. So the
policy has been around for about 4-1/2 years but hasn't received much
attention until now. According to the help included for this policy
setting, it has been available since IE6. It's like someone bitching about
not having a tire jack until they need it and they you show that it was
there all along and they just had to open the cover to find it.
Just how do you think Microsoft could have tossed out the Network Protocol
Lockdown solution if it already wasn't an existing feature of IE6/7/8? They
just made a simpler means of implementing the policy that's been around for
years. Oh, yeah, that problem, sure we have an instant solution, POOF, here
it is, uh huh. They just made easier what was already available. In fact,
their 4-year solution seems to have been awaiting for an impetus to
implement it and, voila, here it is. Running the web browser under a LUA
account or LUA token has been known for even longer.
It further exposes the continuing security problem that users themselves
purposely thwart the security already included in Windows by running
Internet-facing applications under an admin-level account. It has been
recommended for ages that users should be logging in under a limited account
and reserve the admin-level account for admin tasks (and NOT use the
Administrator account except in emergencies and instead use an alternate
admin-level account to perform normal admin tasks). Because many users
refuse to use a limited user account (LUA) or are too stupid to understand
the consequences while many simply use the default install-time setup of
Windows and never bother to perform any account maintenance thereafter, they
run under admin privileges which includes the same privileges given to their
user-mode processes, like web browsers, instant messengers, and e-mail
clients. Yet the users that demand they need to run under an admin-level
account could still run these Internet-facing processes under a LUA token to
reduce their privileges. DropMyRights, SysInternals psexec, and OnlineArmor
(firewall+HIPS) are but a few examples (and all free) of how users could run
their Internet-facing processes under a LUA token. Hell, they could even
use Fast User Switching to instantly switch between their admin and LUA
accounts rather than complain about having to logout of their LUA account to
do admin tasks.
I always ran my Internet-facing applications under a LUA token. This has
mitigated many infection vectors into my host. Until now, I wasn't really
interested in throttling the file: and shell: protocols. I've enabled those
restrictions and will have to see if and when a site wants to use them
(whereupon I should get the yellow infobar to prompt me to allow or block).
So I don't know how many sites I have visited in the past that wanted to use
those protocols; however, they couldn't do much under the restricted set of
privileges given to my Internet-facing apps. I went to all of the 792 sites
in my Favorites hierarchy and a few others today and have yet to hit a site
that generated a prompt telling me that the site wants to use file: or
shell: protocols.
"In other words microsoft was in such a hurry to provide a browser to
compete with Netscape that they took short cuts and didn't follow
agreed upon protocols."
Penny makes a conjecture to qualify and soothe her ego regarding her
personal choice of web browser. Oh, please Penny do show us in the RFCs
that define these protocols as to where are the code examples that
explicitly mandate just exactly how these protocols are actually implemented
within actual applications.
"The microsoft's reply does recommend using another browser"
Oh, please do show Penny just where Microsoft has made this statement.
I still use IE but when I need to check for compatibility amongst different
web browsers for web page code I used to use FF. Although far less
configurable (and a real detriment to its full-time use), Chrome is much
faster so I use that now. I don't consider neither FF nor Chrome to be
invincible web browsers, just smaller targets. Crashing planes into a
residental neighborhood and killing maybe a couple dozen folks would have
never spawned the impetus needed for dismantling the Constitution via the
Patriot and Victory acts as did crashing into the twin towers. Pick targets
where you can do the most damage. The infected extensions to Firefox didn't
receive anywhere near this much attention. Now with Chrome v4 adding
extension support for 3rd party code, there goes its security in addition to
the critical vulnerabilities it already had in prior versions. They all
suck.
Penn...@derrymaine.gov
>Penn...@DerryMaine.Gov wrote:
>
>> This has been going on for a long time.
>> http://tinyurl.com/ych4xy6
>>
>> The microsoft's reply does recommend using another browser:
>>
>> "Suggested Actions
>> �
>> Protect Your PC"
>
>All it takes for FF to be made vulnerable is a malware infected add-on
>(extension) to show up in their catalog. Apparently you haven't bothered
>looking at the Bugzilla database for FF, either.
If I cared what was up with FireFox. I don't use it. Well it's a
secondary browser, that I don't think I've ever even downloaded an add
on for.
>When using TinyURL redirects, include the "preview" hostname so users can
>see to where you want to lead them BEFORE they visit the target site, as in:
>
>http://preview.tinyurl.com/ych4xy6
I could preview you links from a site that would be malware of my
choice, and you'd be none the wiser. I'd post the site - but this site
never allowed linking past the home page before.
Due to your post, and my keen observation skills, I did post an e-mail
to the admin:
"Love your site ... And it's appreciated to me in that respect.
Previously one couldn't link past the front page, Now I can link
directly to the malware of my choice.
(link to hoax malware removed here)
I do hope this is an error. If it's intentional, it goes against
everything your board stands for, and I would think legal terms would
begin to surface.
Thanks for the malware :)
>Another article on the vulnerability is at:
>
>http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-ie-flaw-affecting-windows-xp-users.ars
Look, I don't use I.E. don't care what's been fixed, what's being
promised, or what's planned for the future.
I hear tabs finally made it.
>"In other words microsoft was in such a hurry to provide a browser to
>compete with Netscape that they took short cuts and didn't follow
>agreed upon protocols."
>Penny makes a conjecture to qualify and soothe her ego regarding her
>personal choice of web browser. Oh, please Penny do show us in the RFCs
>that define these protocols as to where are the code examples that
>explicitly mandate just exactly how these protocols are actually implemented
>within actual applications.
See, Folks hate to hear the horror's of using I.E.,
When I first installed Win95 I opened I.E. and it took me to
microsoft.com, no big deal; I'd been on the net for many years prior
to Win95. I went to the games, found one that looked interesting and
pressed to download it.
Download to me, meant I was sent the file which I could uncompress,
then check the files to see if it was something I wanted on my
computer. A check would of been, unpack the files if needed, a virus
check, and a string check with Qedit.- Plus the size of the files
would play into it, as if it were too small it wouldn't be worth
installing as they'd most likely just take up space.
Understand, I was very much virual aware, subscribed to a few groups,
plus a newsletter
"RISKS-LIST: Risks-Forum Digest Monday 29 May 2000 Volume 20 : Issue
89 (comp.risks)"
Download to microsoft meant to install it on my computer, When I
realized what was happening I unplugged the computer. (over kill but
the way I was, I was still in the dos era).
Figured this was due to ActiveX, blocked this scheme of theirs,
downloaded Netscape, which was my browser for years.
Access rights? hell I was just playing around with a NT CD Demo and
clicked on install in the clients/Win98 area and it installed a legit
version of Win98, I had no clue what access I had at the time,
(admin).
Was also the time I found one could dual boot.
>"In other words microsoft was in such a hurry to provide a browser to
>compete with Netscape that they took short cuts and didn't follow
>agreed upon protocols."
>Penny makes a conjecture to qualify and soothe her ego regarding her
>personal choice of web browser. Oh, please Penny do show us in the RFCs
>that define these protocols as to where are the code examples that
>explicitly mandate just exactly how these protocols are actually implemented
>within actual applications.
You've lived in a cave much too long if you weren't aware of the slop
job MS did to get I.E. on the market.
An RFC is sent out for comments, when it's done to everybody's
satisfaction it becomes a suggestion that's best followed if one
wishes to be within standards. But it's not required.
Anybody can write a RFC, that if adopted might be followed (IRC)
http://en.wikipedia.org/wiki/Internet_Relay_Chat
"the new features in the irc2.10 implementation led to the publication
of several revised protocol documents (RFC 2810, RFC 2811, RFC 2812
and RFC 2813); however, these protocol changes have not been widely
adopted among other implementation"
Another way to go is group together for the greater good. like
"Open Web Education Alliance Incubator Group Charter"
http://www.w3.org/2005/Incubator/owea/charter-20090617.html
You know this group through the acid test.
A test MS has never done very well at, I have heard they scored 80/100
on the latest test, that's damn good for MS.
But you need everybody to participate to come up with sound standards
that will meet the needs of the future.
Microsoft will stick to the RFC's if it meets their needs, while this
group tries for conformity and a willingness to work together for a
goal of not changing a protocol/standard because it works in this
situation, but a solution that works in all situations.
Microsoft will never be part of this group, I've read the charter,
"Participants agree to offer patent licenses according to the W3C
Royalty-Free licensing requirements described in Section 5 of the W3C
Patent Policy"
I did try the preview, something about cookies being enabled (they
are) but here's the link http://tinyurl.com/aqkjh
Here's the address:
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=
HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G
&l=50&s1=%2220050156873%22.PGNR.&OS=DN/20050156873&RS=DN/200
50156873
That looks harmless to me. It's got .gov in the title.
Actually it's Microsofts patent for smilies, that they would have to
forgo in order to become a member of the "Open Web Education Alliance
Incubator Group Charter"
--
Penn...@derrymaine.gov
>>Penn...@DerryMaine.Gov wrote:
Quoted the same thing twice, makes no difference, it stays.
--
VanguardLH
> VanguardLH wrote:
>
>> All it takes for FF to be made vulnerable is a malware infected add-on
>> (extension) to show up in their catalog. Apparently you haven't
>> bothered looking at the Bugzilla database for FF, either.
>
> If I cared what was up with FireFox. I don't use it. Well it's a
> secondary browser, that I don't think I've ever even downloaded an add
> on for.
So only your undisclosed web browser was invented with invincible code and
has had no update code applied other than for added features. Uh huh.
>>When using TinyURL redirects, include the "preview" hostname so users can
>>see to where you want to lead them BEFORE they visit the target site, as in:
>>
>>http://preview.tinyurl.com/ych4xy6
>
> I could preview you links from a site that would be malware of my
> choice, and you'd be none the wiser.
Please don't reply when you are half, or more, asleep. Your response had
nothing to do with my suggestion that you let others know beforehand to
where you are linking with the redirection. Users would appreciate knowing
what's on the other side of the door before stepping in.
>>Another article on the vulnerability is at:
>>
>>http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-ie-flaw-affecting-windows-xp-users.ars
>
> Look, I don't use I.E. don't care what's been fixed, what's being
> promised, or what's planned for the future.
Uh huh. And that's why you started your condemnation thread. Sure, we
believe you. Oh yes, it's very common for folks to start a conversation in
which they have absolutely no interest.
>>"In other words microsoft was in such a hurry to provide a browser to
>>compete with Netscape that they took short cuts and didn't follow
>>agreed upon protocols."
>>Penny makes a conjecture to qualify and soothe her ego regarding her
>>personal choice of web browser. Oh, please Penny do show us in the RFCs
>>that define these protocols as to where are the code examples that
>>explicitly mandate just exactly how these protocols are actually implemented
>>within actual applications.
>
> See, Folks hate to hear the horror's of using I.E.,
<and off on a disconnected tangent goes Penny>
And, of course, Penny doesn't actually address the issue she professed.
That would collapse her story. Instead she attempts diversion.
> An RFC is sent out for comments, when it's done to everybody's
> satisfaction it becomes a suggestion that's best followed if one
> wishes to be within standards. But it's not required.
Oh, so you know a little about how RFCs can affect but do not mandate
implementation of protocols. Apparently you also realize that the RFCs do
not mandate specific code nor are libraries provided that doles out that
invincible code. Anyone's implementation will vary from someone else's
implementation; otherwise, you hit copyright issues.
> You know this group through the acid test.
I know that group as a bunch of ex-Mozilla folks that have an agenda to
adopt HTML v5 before it is ratified. That's why those tests make use of
code that isn't yet supported by standard. I would agree that Microsoft is
still catching up but I don't agree that they should feel pressured into
accepting unratified standards simply because another group with their web
browsers decides to do so. Personally I'd like to see them all comply with
the current ratified standards and leave the forward-looking support to beta
releases.
> I did try the preview, something about cookies being enabled (they
> are) but here's the link http://tinyurl.com/aqkjh
URL are text strings. They don't need cookies (.txt files) with them.
> Here's the address:
> http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220050156873%22.PGNR.&OS=DN/20050156873&RS=DN/20050156873
The short [redirect] URL, and with the "preview" hostname included so users
see beforehand to where they are going, is:
http://preview.tinyurl.com/aqkjh
Just created it. Works without any cookies. Cookies are irrelevant to
using the original or redirect URLs.
Pennyw...@gmail.com
>> If I cared what was up with FireFox. I don't use it. Well it's a
>> secondary browser, that I don't think I've ever even downloaded an add
>> on for.
>So only your undisclosed web browser was invented with invincible code and
>has had no update code applied other than for added features. Uh huh.
Actually isn't any of your business what I use, NOD32 will usually
block anything of importance.
>
>Please don't reply when you are half, or more, asleep. Your response had
>nothing to do with my suggestion that you let others know beforehand to
>where you are linking with the redirection. Users would appreciate knowing
>what's on the other side of the door before stepping in.
And a decent reply about that suggestion, if you didn't understand it
don't blame me. And how do you know what users would appreciate,
nothing ticks me off more than having to click on yes go already to a
tinyurl.
I dump cookies, and clear the cache each time I shut my browser down.
If you don't wish to click on a link it's your choice
>>>Another article on the vulnerability is at:
>>>
>>>http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-ie-flaw-affecting-windows-xp-users.ars
>>
>> Look, I don't use I.E. don't care what's been fixed, what's being
>> promised, or what's planned for the future.
>Uh huh. And that's why you started your condemnation thread. Sure, we
>believe you. Oh yes, it's very common for folks to start a conversation in
>which they have absolutely no interest.
>>>12/12/09 - just to say Ha Ha Ha to the people still using I.E..
>>>Maybe you'll take a hint now.
Freaking faggot, does that indicate my having any interest in I.E. at
all.
Maybe one day the he you adore will become your she. That's twice
you've expressed that desire, it's not going to happen here.
--
Nothing wrong here
http://tinyurl.com/yj8ds74