New IE bug causes concern [drag-and-drop on webpage activates bug]

http://www.computerweekly.com/articles/article.asp?liArticleID=132902&liArticleTypeID=1&liCategoryID=1&liChannelID=13&liFlavourID=1&sSearch=&nPage=1

Thursday 26 August 2004
New IE bug causes concern


Security researchers are warning of a bug in Internet Explorer that could allow attackers to infect a PC by persuading a user to click on a web image.


The vulnerability affects even Windows XP machines patched with Microsoft's Service Pack 2 (SP2), making it the most serious hole discovered in SP2 to date.


IE versions 5.01, 5.5 and 6 are not effective enough in the way they screen drag-and-drop events, allowing attackers to potentially slip code from the "internet" zone to the local machine, according to researchers.


In a demonstration posted online by a "white-hat" hacker using the internet pseudonym http-equiv, who discovered the flaw, a user drags a graphic from one part of a web page to another, and this action implants code in the user's startup folder, to be run the next time Windows launches.

<snip>

By now it suffices to click on the scroll bar.


Example:
http://www.mikx.de/scrollbar/



Also there are first in-the-wild uses of the mistake, made worse by the bug where SP2 doesn't mark the files as "downloaded"; allowing their execution without warning.

However this is not strictly a bug in SP2 - you are just as vulnerable without SP2.

get Mozilla already!

www.mozilla.com

version 9.3 rocks

I like Mozilla. With the optional scheduling module, I have finally been able to replace not only IE, but also MS Outlook.

Firefox is great...I love the tabs and the integrated google bar. I have never used Outlook (I prefer Yahoo mail, etc)...so I'm not sure if FF has a comparable mail function built in. I also use a seperate freeware download accelerator product for my downloads. There are several available that can integrate with firefox without any problems. From what I can tell, the two products and almost identical...but you may want to give firefox a whirl. It is a very quick download.

http://www.download.com/Mozilla-Firefox/3000-2356-10299359.html?tag=lst-0-2

is the mail application that is used with FireFox. I am using them both and I love them. The built in Google and Tabs are great.I also love the pop up blocker and I have yet to have my homepage hijacked with FireFox.I am on a really fast network here and I will say that FireFox is a tad bit slower then IE,but who cares it's still fast.

Mozilla is the complete product with email and newsreader.

One thing I like about firefox is the extensions that add to it for many different functions like a google toolbar, autofill, themes, dictionary search, etc. This is a complete browser, unlike the crippled and aging IE.

Even a built in popup blocker.

Micro$oft should be ashamed.

Mr. Leela is a Linux guru/zealot...all our computers run Linux except his PowerBook, which has a Slackware/OS X dual boot. No Microsoft products allowed in this house! (I admit having an in-house tech support makes it a lot easier.) My desktop manager is IceWM, which is easily learned by anyone who's familiar with Windows

It is such a freedom to not have to worry about worms,viruses,trojan horses, BSODs...plus the system requirement are much more modest, so we can still have older machines that function perfectly well.

Now if they would only make a new version of Mozilla that works in SSL through firewalls, I'd upgrade my ageing version.... if it's not one thing, it's another.

Swiftboat Veterans for Bush - TRUE!!!

JFK - Drop Bush Not Bombs! - FUCK BUSH
http://brainbuttons.com/home.asp?stashid=13

Another reason to use alternatives.

Swiftboat Veterans for Bush - TRUE!!!

JFK - Drop Bush Not Bombs! - FUCK BUSH
http://brainbuttons.com/home.asp?stashid=13

I never use IE anymore

For reasons just like this. Not only does Microsoft make weak products but they the Windos OS is everyone's favorite target.

I use Safari. It just works.

Certainly better than ie, but no reason for a sense of security.

but I am at a point where " friends don't let friends use IE "
As for security, what do you suggest ?

Mac with Safari is about as secure as one can get. No internet connection is the only way to feel safe.

I suppose you are right.

But www.grc.com shows I'm not even on the internet. Go to the site and go to the 'shields up' section. it will test your connection and computer and show what ports if any are open to the outside world.

At my house we have three PCs and one server on the network. I have a router with a built in firewall and I still use a firewall and anti-virus on all three pcs.In addition to that I run a bunch or Spy Ware apps once a week or so on all three, Spy Bot S&D, Hijack This, Add Aware6, CW Shredder, and BHO Demon. When you dealing with Micro$oft you need all the help you can get.

I've been using Opera (currently ver. 7.51) for over a year now and love it. Recently upgraded to 7.54 but didn't like the "look/feel" so went back to ver.7.51.

:hi: I truly admire people who know WTF they're doing with their computers, more than you'll ever know. I wish I was one of those people!!

However...I still can't compute my way out of a paper bag. I keep thinking (dreaming!) someday the 'good computer fairy' will send me someone to sit by my side, and 'splain all these things to me, until I "get it"! I HATE knowing that people can get into my computer, in spite of the "tools" I've been able to install.

As much as I love being on line, I still don't know how to research something, fluently (!), and I sure as hell don't understand how to make security work without getting everything so tangled up the darned computer won't even turn on.

:yourock: You guys rock. :yourock: While some of us just kinda 'roll'.... over.

:kick::kick:

Give me Firefox or give me death!

Browse happy. This was featured on slashdot.org It will help you find a browser right for you.

http://browsehappy.com/

BTW, you guys who love Compose in Mozilla, there is a standalone.
http://www.nvu.com/download.html

there is an OSX version

http://www.macupdate.com/info.php/id/15699