Warning for Internet Explorer users

[kach22i]

Sent to me today from a trusted friend.

Warning for Internet Explorer users
December 16th

Quote:

8 hours ago
Computer security experts are advising users of Microsoft's Internet Explorer to switch to another web browser until a major security flaw is fixed.

The problem, first revealed last week, allows criminals to hijack computers and steal passwords if the user visits an infected website.

As many as 10,000 sites have already been compromised to take advantage of the flaw, according to anti-virus software producer Trend Micro.

So far the websites, which are mostly Chinese, have been used to steal computer game passwords which can be sold on the black market.

But Trend Micro security researcher Paul Ferguson told the Associated Press there were major concerns that the problem could be exploited by "more financially motivated criminals for more serious mayhem".

Microsoft said it had so far only found attacks against version 7 of Internet Explorer, the world's most popular web browser, but warned that other versions were "potentially vulnerable".

In a security update issued on Monday, the computer giant said: "We are actively investigating the vulnerability that these attacks attempt to exploit.

"We will continue to monitor the threat and update this advisory if this situation changes."
Microsoft may fix the problem in its regular monthly security update or issue an emergency software patch.

[Porsche_monkey]

Could be a hoax, could be true. I switched to firefox and would never go back.

[red-beard]

they have already sent out a patch

[porsche4life]

Guess Im safe with chrome.

[red-beard]

I don't understand why people think they are safer with Fixefox, or whatever instead of IE. At least MS will own up to vulnerabilities and patch ASAP. I don't think it is that the others are inherently safer than IE.

[Rick V]

I got the same email sent to me from a trusted friend, who is a subcontractor for the government. I would say that warning is true.
I also use firefox as well.

[Paul_Heery]

This is very real. The vuln is present in all versions of IE from v5.01 to v8.beta2. The patch replaces MSHTML.dll. However, this file is different for different versions of IE, so there are specific versions of the patch based upon the version of IE you are using.

[masraum]

Quote:

Originally Posted by red-beard

I don't understand why people think they are safer with Fixefox, or whatever instead of IE. At least MS will own up to vulnerabilities and patch ASAP. I don't think it is that the others are inherently safer than IE.

If you wanted to catch as many fish as quickly as possible, and there was a pond that was full of fish. 99% of the fish will be caught with worms, but 1% of the fish can only be caught with frogs (whatever, I'm not a fisher). Would you use worms or frogs for bait?? I suspect you'd use worms. I'm sure there would be some fishermen out there that would really prefer the fish that only eat frogs and would target those, but most of the pop would go for the easy pickin's.

MSIE has a huge, enormous majority of the browser market. If you're a "hacker" or hoodlum, you can target either/any browser, but if you want to wreak maximum havoc, you'll target MSIE.

[old man neri]

I didn't know people still used IE but anyways here is the webpage from MS telling you how to fix it.

[flatbutt]

Our IT guys consider this a real problem. They've adviced that the originators may indeed move on to Firefox and Chrome etal. However they also say that if the site is "https" then you're ok

[Gogar]

I looked for MSHTML.dll for like . . . an hour and I couldn't find it. Guess I'm safe.

[MysticLlama]

From the reg today:

Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser.

Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns.

Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege escalation” and crashes that could cause memory corruption have been repaired in Firefox 3.0.5.

The bugs in the browser could have been “used to run attacker code and install software, requiring no user interaction beyond normal browsing,” said Mozilla.

It also once again urged users to upgrade from Firefox 2.0 because version 2.0.0.19 is the final release of updates for the browser.

The company “is not planning any further security and stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible”.

It added that Mozilla’s “Phishing Protection” service would no longer be available in Firefox 2. In other words, it won’t be supporting the browser against future online scams and attacks.

Mozilla’s security updates today follow on from Microsoft having to push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.

The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer's memory space, allowing attackers to remotely execute malicious code as IE crashes, said a red-faced Microsoft yesterday. ®

[masraum]

Quote:

Originally Posted by Gogar

I looked for MSHTML.dll for like . . . an hour and I couldn't find it. Guess I'm safe.


< clipped fruity pic >

Don't worry, you're completely safe. The apple will keep you completely safe and warm and happy.

http://www.techworld.com/security/news/index.cfm?newsid=1798

Quote:

Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent.

http://news.cnet.com/8301-10789_3-9976122-57.html

Quote:

Building on the Trojan released last week, a group of hackers appear to be targeting the Mac OS X platform with more variations.

Last Thursday, Mac antivirus vendors Intego and SecureMac reported a serious vulnerability within the Apple Remote Desktop Agent (ARDAgent). It is part of the remote-management component of Mac OS X 10.4 and 10.5 and is owned by root. Thus, the ARDAgent executable runs this malicious code as root without requiring a password.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123467&intsrc=news_ts_head

Quote:

December 15, 2008 (Computerworld) Apple Inc. today patched 21 vulnerabilities in Mac OS X, including seven flaws in Flash that the popular media player's maker, Adobe Systems Inc., fixed more than a month ago.

http://robrohan.com/2008/06/19/nasty-mac-os-x-exploit/

Quote:

It seems there is an exploit floating around that allows root access via applescript. It’s a good idea to only download software from trusted sources, but you might want to be extra cautious - or at least let this serve as a reminder to be cautious.

http://www.theregister.co.uk/2008/07/28/pwning_security_updates/

Quote:

A researcher from Argentina has released an exploit package that can install malware on end user machines that run iTunes, Mac OS X, Winzip and a host of other popular software.

Evilgrade is the brainchild of Francisco Amato and works by exploiting weaknesses in the automatic upgrade feature of an affected program or operating system. It works only when a man-in-the-middle attack has first been carried out, but thanks to the domain name system vulnerability that has dominated security coverage ever since researcher Dan Kaminsky sounded the alarm three weeks ago, that's not much of a problem.

This one is pretty interesting
http://blogs.zdnet.com/security/?p=758

Quote:

So this shows that Apple had more than 5 times the number of flaws per month than Windows XP and Vista in 2007, and most of these flaws are serious.

[masraum]

Actually, I'm a strong proponent of Microsoft alternates. Over the years I've explored and tinkered with lots of non-MS stuff, whether it be programs or OS. I used to prefer WordPerfect and hated when I finally had to ditch it in favor of Office. I've had dual boot systems and VMWare with Linux. I've done research on other OSs and programs, and I've been using NetScape/Mozilla/Firefox since 1995 or 1996 whenever I got on the Internet except for a period of a few months where IE was actually better than Netscape way back in the early days.

I just get tired of hearing all of the "Superior" Mac folks trying to make claims that don't really hold water.

The other equalizer is that at least in the past, and I believe to this day, your hardware options in a Mac were regulated by Apple. By regulating what hardware you can put in the machine, you control a major factor in the stability wars. If you only have to program the OS/Apps for a small, relatively fixed set of factors, that's an easier job and should result in a more stable environment. With Windows, since any monkey can buy some chips, through together a sound card, modem, video card, etc.... and stick it in a PC with highly questionable drivers, the fact that Windows is and has been as stable as it is/was with pretty much infinite combinations of software hardware, is a miracle.

[imcarthur]

Thank you Steve & Robb for some reality.

Ian

[kstar]

There's probably not enough room on Wayne's servers to make a comparable "PC" post to the one above re OS X.

[Porsche_monkey]

[QUOTE=masraum;4366117] I used to prefer WordPerfect and hated when I finally had to ditch it in favor of Office. [QUOTE]

Still have it. And QuatroPro.

[masraum]

Quote:

Originally Posted by Porsche_monkey

Quote:

Still have it. And QuatroPro.

Yeah, at the time, the two weren't really compatible, and I needed compatibility. I was also having a much harder time "acquiring" the WP suite. Now they are, but the MS Office suite these days is actually pretty nice.

[imcarthur]

I too, was a WordPerfect fan. Since the late 80s. I hated to change over but I was pretty well forced to due to Office. Lotus 123 also. I actually made money macroing that sucker for wage & benefit surveys etc for a while in the early 90s. CorelDraw was another fav & I still use it on occasion. And the list goes on . . .

Ian

[Justin S]

Quote:

Originally Posted by masraum

Don't worry, you're completely safe. The apple will keep you completely safe and warm and happy.

http://www.techworld.com/security/news/index.cfm?newsid=1798



http://news.cnet.com/8301-10789_3-9976122-57.html



http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123467&intsrc=news_ts_head


http://robrohan.com/2008/06/19/nasty-mac-os-x-exploit/


http://www.theregister.co.uk/2008/07/28/pwning_security_updates/


This one is pretty interesting
http://blogs.zdnet.com/security/?p=758

For me to actually get a virus (I cannot since apple released a bunch of security updates for the above, plus the built in firewall works well), I actually have to think it is a piece of software I want to actually install (I have to type in my username and password, hit continue a few times, and click on the hard drive I want to install to). I think this is very different from just opening a sketchy .exe file.

I'll take anything UNIX based over windows ANY day. Don't get me wrong, Windows works very well when it is NOT plugged into a network.