Yay! Another really bad exploit in IE found!

[MD-2389]

http://slashdot.org/articles/04/01/28/2 ... &tid=172&t id=185&tid=190&tid=201

"Infoworld is reporting another new security hole that allows links to executable files to appear to be any other type of file, such as text or pdf. When combined with a previously reported spoofing bug, that Microsoft still hasn't fixed, Infoworld claims the result could be 'devastating'"

Show of hands here....how many are really suprised? With **** like this happening, its a small wonder why people continue to use Idiot Exploiter...

Get yourself cured

[Mobius]

LOL @ Idiot Explorer!

[Jeff250]

The only problem with the majority of Mozilla's vulnerabilities is that nobody's found them yet.

[Mobius]

Ipso Facto - they aren't a problem!

[Birdseye]

I haven't used mozilla because file new doesn't create a copy of your existing window... anyone know a command to duplicate the browser you are looking at?

[Nitrofox125]

There's something in the settings of every browser: "On new window a) Go to homepage or Stay at current page" or w/e

[Lothar]

file - new - navigator window doesn't give you a new window?

[MD-2389]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Lothar:
file - new - navigator window doesn't give you a new window?</font><HR></BLOCKQUOTE>

He's referring to Mozilla not doing a new window like IE does. (brings up the current page in the new window) Which, IMO, is a very good thing since I always found that an extremely annoying "feature" of IE.

However, don't fret Birds because I've found exactly the way to do that. Go into your preferences and click on Navigator. Click the pulldown menu and select "New Window". Then click on "Last Page Visited". Then click OK and you're good to go.

[Top Wop]

Gimmie a W00t for Firebird!

[MD-2389]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Jeff250:
The only problem with the majority of Mozilla's vulnerabilities is that nobody's found them yet. </font><HR></BLOCKQUOTE>

But when they are found, they're actually fixed. Fixing bugs in their browser doesn't appear to be MS policy anymore.

[fliptw]

One need to remember that IE is based in NSCA Mosiac... they just went and added stuff to that browser over the years.

Mozilla itself is a fairly young codebase, and being cross platform, isn't as tightly integrated as IE is. so the nature of exploits and their impact between the two are like apples and oranges.

[fliptw]

MS provides a work around.

[Birdseye]

Thanks MD! I think I will give Mozilla another run. I preferred its password auto-fill in (some places I had two accounts, and it remembered either and let me choose, example being paypal)

[fliptw]

and tells us about the upcoming patch

[JMEaT]

browser wars are so lame...

[DCrazy]

Wait....... what?! No more <diesmiley>http://us</diesmiley>er:<diesmiley />pass@domain syntax?? Isn't that kind of against the standard? Over time the tradition has been for IE to move (ever slowly) towards standards-compliance.

[Tetrad]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by fliptw:
and tells us about the upcoming patch</font><HR></BLOCKQUOTE>

Actually looking at this for a few minutes, that patch is for the 'previous' bug mentioned in the first post.

This particular bug is about embedding a CLSID into a filename to make it look like a particular extension when it's something else completely.

If you're running the proxomitron you can put in a filter in that fixes that issue.

[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Disposition: IE Exploit Attachment-Spoof [Alert+Choice] (in)"
Match = "\1{\2}\3&$ALERT(*** WARNING ***\nIE Attachment-Spoof Exploit
Detected!\n\n\1{\2}\3)($CONFIRM(Allow only the attachment below? (Safest action
= NO)\n\n\1\3)|$SET(1=\k)$SET(3=))"
Replace = "\1\3"

or if you don't want dialog boxes

In = TRUE
Out = FALSE
Key = "Content-Disposition: Attachment Spoof removal"
Match = "(*)\1{*}(*)\2"
Replace = "\1\2"

This still causes it to display a different filename, but the file will not execute with the given CLSID properties (instead using the spoofed ones), thereby blocking the exploit, without removing correct Content-Disposition handling. I.e. if somebody gives you a link to an .exe, renamed to .pdf, with the .exe clsid, it'll open in acrobat instead of just running.

[Tetrad]

http://secunia.com/Internet_Explorer_Fi ... ofing_Test

[Viralphrame]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by JMEaT:
browser wars are so lame...</font><HR></BLOCKQUOTE>

I love you.

[Jeff250]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by DCrazy:
Wait....... what?! No more <diesmiley>http://us</diesmiley>er:<diesmiley />pass@domain syntax?? Isn't that kind of against the standard? Over time the tradition has been for IE to move (ever slowly) towards standards-compliance.</font><HR></BLOCKQUOTE>

I can't recall a time I've ever used that for HTTP.

[Tyranny]

It came in handy for logging in to certain sites if you had permissions to access those sites in the first place. So instead of getting a dialog box once you typed in the regular url going to the site where you'd have to enter in the information to view it, the information would already be given to the site via the url using that syntax.

[Tetrad]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Jeff250:
I can't recall a time I've ever used that for HTTP.</font><HR></BLOCKQUOTE>

It's used a lot on the porn site password hax0r pages.

[Jeff250]

lol ok

[roid]

Birdy and if you want a new TAB to display the page you are currently at in firebird, there is a plugin for that called "clone window". just look for it on the plugins/extensions page.