- TalkBack 21 of 52:
- Next »
- « Previous
- Thread View
- Flat View
- Didn't fix a damned thing.
-
The whole point of an exploit involving a user:pass feint in a URL link is to get you to load up an HTML document (other than the one you thought you were loading) containing an ActiveScripting exploit.
Rather than ditching ActiveScripting in IE, they give you a cosmetic fix which ultimately solves nothing: the cracker can lure you to hostile HTML/ActiveScripting through any number of means, not the least of which:
* META-tag URL redirection in a "safe" Web page
* Simply emailing you with the hostile script embedded in the HTML body of an email (remember--this is NOT an attachment, it's in the body of the email itself)
My sister had her Win98 system taken completely down by a hostile Web page in '99 using basically the same HTML/ActiveScripting techniques that are floating around today. The most dangerous critter in the entire ActiveScripting arsenal: VBScript, which apparently runs totally un-sandboxed and which can launch executables and make Remote Procedure Calls at will. Clever crackers can completely disguise executables in a VBScript array (so that your AV proggy and security measures can't detect it) that rebuilds itself "on the fly" as your browser parses the Web page/email body. Voil?! Instant trojan.
A few days ago I located my own copy of a small cracker's utility named "exe2html," which is floating around all over the Web now, if you know where to look. It's purpose? To enable you to take an executable file (your malware), slice it up and stash it into a VBScript array in such a way that you can embed it in your HTML and it will completely slide past any security measures on your victim's Windows system, as long as they're running Outlook/Outlook Express/Internet Explorer.
Here, you can see a whole lot of ways those 17-year-old Chinese freelance crackers and Hungarian Internet extortian gangs can exploit your Web browser/mail client:
http://die.leox.com/ie_unpatched/index.html
I've tested at least one of these on my up-to-date, fully-patched, AV-protected Win2K Pro system hidden behind a router doing NAT (with only essential ports open). It worked like a champ. - Posted by: Yen_z Posted on: 02/04/04 You are currently: a Guest | Members login | Terms of Use
&itch..&itch...&itch
LinuxHippie | 02/04/04
|
Another way to say that
Chad_z | 02/04/04
|
here's a novell idea...
ryusen | 02/05/04
|
|
yea thats too bad
JoeMama_z | 02/04/04
|
|
when you use a browser
JWatson77 | 02/04/04
|
|
Whats your point?
rschror | 02/04/04
|
your pointless
stephen732@... | 02/04/04
|
|
Do a little research.
Immanuel Tranz-Mischen | 02/04/04
|
|
not until ms play fair
JWatson77 | 02/05/04
|
|
Please....
DarbyOhara | 02/05/04
|
|
I use Win2k pimple face
JWatson77 | 02/05/04
|
|
Umm...
TrollSlayer | 02/05/04
|
|
this was never a feature
JWatson77 | 02/04/04
|
|
Veeeeery Surprising
Bobby Sskcat | 02/04/04
|
|
This isn't the first time.
Immanuel Tranz-Mischen | 02/04/04
|
|
Thanks to wrong doers
Christian_<>< | 02/04/04
|
|
Message has been deleted.
Cardinal_Bill | 02/04/04
|
|
You left something out
vferrara | 02/05/04
|
|
So did you.
Immanuel Tranz-Mischen | 02/05/04
|
|
YOU left something out
B_HI | 02/11/04
|
|
Didn't fix a damned thing.
Yen_z | 02/04/04
|
|
Smiley Face got me.
Yen_z | 02/04/04
|
|
I tried out several of them
jfrankcarr | 02/04/04
|
|
MS putting ... security first (!)
michael-t | 02/04/04
|
|
What a stinkin' load...
TrollSlayer | 02/05/04
|
|
Addendum
TrollSlayer | 02/05/04
|
|
TrollSlayer??? More like Troll
PmAc_z | 02/05/04
|
|
Riiiiiiiiiiiiiggggggghhhhhtttt!
TrollSlayer | 02/05/04
|
|
Not quite...
wolf_z | 02/05/04
|
|
You are correct...
TrollSlayer | 02/05/04
|
|
One more thing!
TrollSlayer | 02/05/04
|
|
And another thing!
TrollSlayer | 02/05/04
|
|
We need a hero
BXLE | 02/05/04
|
|
Lazy developers
dscherf | 02/05/04
|
|
lazy
BXLE | 02/05/04
|
|
It was a jab
dscherf | 02/05/04
|
|
It is about time!
ShadeTree | 02/05/04
|
|
Really
russ@... | 02/05/04
|
|
What???
ShadeTree | 02/05/04
|
|
Flawed? Maybe...
Brett04_z | 02/05/04
|
|
Not exactly
MarcB_z | 02/05/04
|
|
Oh Well........
tslocum7 | 02/05/04
|
|
Security??????????????????????????
russ@... | 02/05/04
|
|
great - break (more) standards
bschlatzer@... | 02/05/04
|
|
IE Security Patch
Jaytmoon | 02/05/04
|
|
Stop Using IE! There Are Much Better Browsers Out There
brenthawkinsmd | 02/05/04
|
|
IE Phishing Fix via Feature Removal is a Hoax
Davinci_J | 02/05/04
|
|
Interesting
jfrankcarr | 02/06/04
|
|
Its Broke?
WillGates | 02/05/04
|
|
IE the best and only web-browser
Christian_<>< | 02/05/04
|
|
IE is crap.
Squire72 | 02/08/04
|
|
IE is no better actually
Aragorn_z | 02/09/04
|
What do you think?
SponsoredWhite Papers, Webcasts, and Downloads
- Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
- File System Auditor Version 2.0.8 ScriptLogic File System Auditor? allows administrators to audit file access, generate ... Download Now
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
- Save time with automated shipping solutions
-
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
- Visit the UPS Business Essentials Guide
- The Compelling Case for Conferencing
-
Read the whitepaper to discover the specific ways Unified Communications can improve your bottom line.
- Click to download >>
- Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
-
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
- Learn more about the free, six-month trial offer >>
Meet Doc
-
-
Here to help you with your Document Management Needs
- Check out Doc’s Blog on ZDNet
- Help your company, help the earth I want to share with you the Environmental Defense Fund Paper Calculator, which allows you to gauge your organization's environmental impact.
- Which is Greener: Paper or Digital? The Answer May Surprise You Anything we can do to reduce paper consumption is good. But what about the impact of digital waste?
-
Produced by
ZDNet and -
