New Internet Explorer Threat warns CERT

Kylere · Post by **Kylere** » June 30, 2004, 10:54 am

http://www.kb.cert.org/vuls/id/713878

Just an extra warning, there is no fix at this time.

masteen · Post by **masteen** » June 30, 2004, 11:06 am

THERE ARE NO SECURITY HOLES IN INTERNET EXPLORER. THERE ARE NO INFIDEL H4XX0RS STEALING YOUR MEGAHURTZ.

Cartalas · Post by **Cartalas** » June 30, 2004, 11:22 am

God I miss that guy

noel · Post by **noel** » June 30, 2004, 12:44 pm

New BGP vulnerability that affects most major networking vendors warns CERT. Guess we should replace all the Cisco routers in the world!

http://www.kb.cert.org/vuls/id/784540

Should I post a CERT advisory every time there's one for any of the major networking vendors? I guarantee they affect more users (this one is a great example) than any IE vulnerability...

Kylere · Post by **Kylere** » June 30, 2004, 12:52 pm

Aranuil, if ost of the users here were CCNA, CCNP, or CCIE's I would say sure, but how many are browing the net with a browser... ALL

Fuck you very much, drive through

noel · Post by **noel** » June 30, 2004, 12:55 pm

The users certification (which you don't fucking need to understand the problem) had a goddamned thing to do with the vulnerability, you might have had a point.

The BGP vulnerability can affect your connectivity whether you're using a browser or not! OH NOS!

You shouldn't be going to unsolicited links anyway. If you don't know what a fucking unsolicited link is, you probably shouldn't be using the Internet.

Kylere · Post by **Kylere** » June 30, 2004, 1:05 pm

Hey whiney Noel/Aranuil I posted a pr0n link in NWS that was clean to me on a secured system, and was later altered to be even uglier than it was when it did not affect me the first time. People whined, kind of like your incessant whining. So I made the commitment to let people know just how dangerous their browser can be.

Not many people are going to be telneting into a Cisco router to fix it or running TFTP to load a new config, therefore it is over their head, but they are all using browsers, what part of that is confusing to you?

This is not a hoax, it is a problem that Microsoft does not have any fix for, and many industry analysts are assuming ( and I only partially agree ) that this class of issues will require a complete rewrite of the kernel.

Your assumption about unsolicited links may be accurate, and I agree they should not be using the net, but THEY ARE USING THE NET. It is the responsibility of those who know the dangers to make sure those who have better things to do with their time are made aware of issues so they can be safe. 99% of net users are barely comp literate, we have two choices we can pick on them or we can inform them.

I have decided to inform them, you can just keep on whining, or better yet, PLEASE PUT ME ON IGNORE.

noel · Post by **noel** » June 30, 2004, 1:20 pm

Kylere wrote:Hey whiney Noel/Aranuil I posted a pr0n link in NWS that was clean to me on a secured system, and was later altered to be even uglier than it was when it did not affect me the first time. People whined, kind of like your incessant whining. So I made the commitment to let people know just how dangerous their browser can be.

Not many people are going to be telneting into a Cisco router to fix it or running TFTP to load a new config, therefore it is over their head, but the are all using browsers, what part of that is confusing to you?

This is not a hoax, it is a problem that Microsoft does not have any fix for, and many industry analysts are assuming ( and I only partially agree ) that this class of issues will require a complete rewrite of the kernal.

Your assumption about unsolicited links may be accurate, and I agree they should not be using the net, but THEY ARE USING THE NET. It is the responsibility of those who know the dangers to make sure those who have better things to do with their time are made aware of issues so they can be safe. 99% of net users are barely comp literate, we have two choices we can pick on them or we can inform them.

I have decided to inform them, you can just keep on whining, or better yet, PLEASE PUT ME ON IGNORE.

I'm not whining. Just because you're still upset that people RIGHTLY smacked you down for posting a URL that contained no less than 12 trojans doesn't mean I'm going to let you go on a bullshit crusade to move everyone to Firefox. As such, I'm making a point that you are obviously missing. Let me spell it out for you so that it's clear and in no uncertain terms.

If I go to the CERT site, I can show a vulnerability for which there is no fix for nearly every major networking vendor, operating system, and many software applications that have a large enough userbase for CERT to concern themselves with.

I'm not arguing there's a vulnerability in IE. I'm sure it's not the first, and I'm sure it won't be the last. The point that I'm making is that there are a LOT of CERT advisories for many products, not just IE, and they generally get solved. Posting a CERT advisory in a community where over half probably don't even know what CERT is helpful, but will probably lead to unecessary concern.

I still contend that you are far better off running a browser that CERT will actually write vulnerability notes for than running a beta version of a browser that basically requires you to install plugins to make it work the way you want, and each plugin you install has the potential to cause a security vulnerability that may or may not ever even be reported.

The best approach to computer or network security is a layered approach. As such, I run a personal firewall, up to date antivirus software, several spybot killers, and I pay attention to what the fuck I'm doing online.

In summation, the only whiner here is you. Next time, post a warning if it bothers you so much, but make sure you post it for every URL you link to. For my money, a simple 'sorry' would have been a better reaction, but if you want to carry on like a baby, go right ahead. I won't be putting you on ignore as I enjoy seeing your posts, but on this particular issue we are at, obviously, opposite ends of the spectrum.

Kelshara · Post by **Kelshara** » June 30, 2004, 1:24 pm

Although this whole discussion is ridiculous, I do agree that there is a huge difference between an IE problem and a Cisco problem.

noel · Post by **noel** » June 30, 2004, 1:26 pm

Kelshara wrote:Although this whole discussion is ridiculous, I do agree that there is a huge difference between an IE problem and a Cisco problem.

Could not agree with you more.

Kylere · Post by **Kylere** » June 30, 2004, 2:11 pm

noel wrote:
Kelshara wrote:Although this whole discussion is ridiculous, I do agree that there is a huge difference between an IE problem and a Cisco problem.
Could not agree with you more.

Then why compare them?

The current set of issues with IE is unique, before they have almost entirely been exploits that were created after the announcement of a known issue, and users failed to update their systems, and it led to problems. Now the people causing problems are ahead rather than behind MS.

People do not have to use Mozilla, they can get Opera, they can use Netscape , or one of the 50 other browsers out there. I recommend Mozilla because I have beat it to death repeatedly and been very happy with its overall nature as a browser.

FYI the link I posted was fine when I posted it, it was changed SERVER SIDE after I posted it. I am not going to apologize for circumstances beyond my control, nor will I take flak for people irresponsible to be online without taking the necessary precautions. But when there are problems with an app that there are no precautions for then it needs to be said.

There is a serious movement of basement losers out there who hate MS and all of their products. The downside for Windows users is that they tend to be socially ignorant, and technically competent.

If I am in a big city that I am unfamiliar with, and I read an advisory from their Police Department ( and I know CERT is not a cop, but every major securiity firm agrees with them) that you should avoid 2nd and 3rd street because of the high crime level there, I am going to do just that. If it is safer to take Avenue B, I will do that. Situational Awareness is the number one defense against having bad things happen to you, and most of the users reading VV, and online overall are running unpatched WIN95 to XP machines, no firewall, and no working antivirus, and of those who do take some precautions, they misconfigure things heavily which can even be worse than not having any protection at all.

I am not saying as you are that anyone unaware should do an implicit deny all, but they very well should be aware that there are safer alternatives.

If you think it is wrong to warn people about a legitimate threat to the security of their data, then that is your call. If you feel the threat is overstated, then show me where it is overstated. But do not automatically and robotically defend an app just because you feel it is persecuted. I was young and dumb enough to feel that way about operating systems, apps before, and your best bet is to move on when something is no longer a good choice, hanging onto a sinking boat only means you will drown.
Will MS fix this issue? Yep!
Will there be more exploits of IE? Yep!
Will other browsers have exploits? Yep!
Are other browsers targeted like IE is? Nope!

Security through obscurity is in fact the least expensive and simplest route to take. Soldiers wear camouflage for a reason.

Ransure · Post by **Ransure** » June 30, 2004, 2:44 pm

I am invulnerable to IE errors! I use Avant!

noel · Post by **noel** » June 30, 2004, 2:45 pm

Ransure wrote:I am invulnerable to IE errors! I use Avant!

I think that was sarcasm, but not sure so... Avant runs on IE.

Ransure · Post by **Ransure** » June 30, 2004, 2:46 pm

masteen wrote:
THERE ARE NO SECURITY HOLES IN INTERNET EXPLORER. THERE ARE NO INFIDEL H4XX0RS STEALING YOUR MEGAHURTZ.

I also miss this man... someone should get him out of Guantannamo and give him a sponsorship for like Coke or Pepsi or sumtin... or even cigarettes... If he told me smokes dont cause cancer or bad breath.. I might start smoking again.

Siji · Post by **Siji** » June 30, 2004, 5:27 pm

What this argument needs is a good Gumby quote..

Ransure · Post by **Ransure** » July 1, 2004, 6:22 pm

Yes, it was sarcasm

XunilTlatoani · Post by **XunilTlatoani** » July 2, 2004, 1:04 pm

I just saw this story, which was applicable to these discussions:

http://story.news.yahoo.com/news?tmpl=s ... p/22103407

Alternative browsers such as Mozilla or Netscape may not protect users, the agency warned, if those browsers invoke ActiveX control or HTML rendering engines.

The only defense may be completely disabling scripting and ActiveX controls.

Isn't this a contradiction? The agency recommends that users stop using IE and use an alternative browser instead, but they admit that the alternative browsers may be affected as well if they invoke ActiveX controls.

Wouldn't it be easier to recommend turning off JavaScript and ActiveX in IE until a patch is found instead of recommending that people stop using software that they've used for years? If I were MS, I would be pissed that the government came out and said this.

Kylere · Post by **Kylere** » July 2, 2004, 2:01 pm

Yeah, Xunil and MS would sue them to death if it was not accurate.

MS made ActiveX, they made the scripting. What they mean by this is that the exploit is there if someone wants to make it work for Mozilla, Opera, Netscape etc. No one has yet, but it can happen. But as of right this instant, they are safer.

XunilTlatoani · Post by **XunilTlatoani** » July 2, 2004, 2:07 pm

My point was that if this virus can be avoided by disabling javascript and activex until there is a fix, why wouldn't the government recommend that instead of recommending to switch to a different browser where the same exploit could be possible?

Kylere · Post by **Kylere** » July 2, 2004, 2:18 pm

XunilTlatoani wrote:My point was that if this virus can be avoided by disabling javascript and activex until there is a fix, why wouldn't the government recommend that instead of recommending to switch to a different browser where the same exploit could be possible?

It could be, but it is not. Let me give you an analogy, if you have a choice of three cars in your garage, and someone has cut the brake lines of one. You drive the others until that one is fixed. The others may have brake lines also, but they are not cut right now.

XunilTlatoani · Post by **XunilTlatoani** » July 2, 2004, 2:28 pm

But I'm saying don't drive the car at all. If there really is a big gaping hole in ActiveX, which it sure seems to be the case, then don't even let some random website launch ActiveX controls regardless of browser until the problem is fixed.

This is obviously an OS problem, and disabling the feature altogether seems safer to me than trusting that no one will try to exploit FireFox (which is becoming more and more popular now, and someone might just get the idea to exploit it as well just to drive the point that there is a fundemental flaw in Windows).

XunilTlatoani · Post by **XunilTlatoani** » July 2, 2004, 3:35 pm

Well, MS released a "fix" today on windowsupdate that looks like it basically just disables the ADODB.Stream object from being invoked by ActiveX. If it was that simple, it would seem to me that they should have released this much earlier, but oh well. I'm sure there was a lot of corporate politics involved and what not.

More info on what this fix actually does: http://support.microsoft.com/default.aspx?kbid=870669

krin · Post by **krin** » July 2, 2004, 6:33 pm

New BGP vulnerability that affects most major networking vendors warns CERT. Guess we should replace all the Cisco routers in the world!

http://www.kb.cert.org/vuls/id/784540

Should I post a CERT advisory every time there's one for any of the major networking vendors? I guarantee they affect more users (this one is a great example) than any IE vulnerability...

BGP is generally used as a fail over protocol for network redundancy.
It would probably take a very large ddos attack to affect a network with this vulnerability, and even then, shouldn't affect current connections.

I still contend that you are far better off running a browser that CERT will actually write vulnerability notes for than running a beta version of a browser that basically requires you to install plugins to make it work the way you want, and each plugin you install has the potential to cause a security vulnerability that may or may not ever even be reported.

Agreed. Security through obscurity isn't really security at all.

krin · Post by **krin** » July 2, 2004, 6:50 pm

New BGP vulnerability that affects most major networking vendors warns CERT. Guess we should replace all the Cisco routers in the world!

http://www.kb.cert.org/vuls/id/784540

Should I post a CERT advisory every time there's one for any of the major networking vendors? I guarantee they affect more users (this one is a great example) than any IE vulnerability...

BGP is generally used as a fail over protocol for network redundancy.
It would probably take a very large ddos attack to affect a network with this vulnerability, and even then, shouldn't affect current connections.

I still contend that you are far better off running a browser that CERT will actually write vulnerability notes for than running a beta version of a browser that basically requires you to install plugins to make it work the way you want, and each plugin you install has the potential to cause a security vulnerability that may or may not ever even be reported.

Agreed. Security through obscurity isn't really security at all.