Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.
Web site virus attack blunted
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I wonder why people who could write such a sophisticated virus left it with a single point of failure?
They must have known that the first thing people would do would be to block access to the russian server.
Not to give any ideas to the black hats, but would it not have been better to use the compromised web servers to serve the payload as well?
Perhaps it was just a test.
‘Finally managed to shut down’ – cool, I imagine this mysterious server standing somewhere in a secluded room… Almost like in a thriller movie. And finally an engineer plugs it off just 5 seconds before the meltdown… Oooh cool. Give us more thrillers.
I wonder where this server could be physically located. I guess that would explain everything. But as usual, this mystery will not be revealed and we will be in the Dark FOREVER!
Why is it not playing russian roulette just browsing with ie? They shut down one website, all clear, no problem, hole not fixed, exploit unpatched, nevermind just continue to use our fine product with confidence.
Its most likely that the Tier 1 ISP(s) just added a null route to the machine 🙂
I hope that they’ll eventually release the list of some of the sites that were compromised. it would give us a better idea of whether or not our credit card information were stolen.
Now that every might-be hacker in the world knows that this kind of attack is possible, it’s only a matter of hours before you see similar attacks. Until MS fixes the hole in IE, it’s dangerous to use IE with JavaScript enabled.
Until MS fixes the hole in IE, it’s dangerous to use IE with JavaScript enabled.
I read in either this article or another that the two holes exploited in IE were patched back in April. Only the 3rd hole in IIS was unpatched.
?
This is a classical example of a company underestimating severity of a bug.
Really, to compromize user computer with this bug, someone has to create a Web site with harmful content. That site could be quickly brought down by “forces of good.”
Who knew that hackers would compromise existent Web sites instead? Now, the bug in IE gets much more serious.
This is new cool new idea of hacking user computer through Web site.
Russian guys who put that together must be proud.
Last time someone underestimated severity before this issue was when a security bug was patched in kernel 2.6 but patch was not backported to 2.4. Who knew that a major Linux Web site running on kernel 2.4 will be hacked because of that?
Now, it is sweet justice for Linux folks: “evil empire” makes embrassing mistakes too.
Is this bug bites users because browser is integrated into an OS? Not at all: a standalone browser with the same bug would be vulnerable same way.
Is this way of hacking computers limited to Internet Explorer and Windows?
Not at all: a short time ago Red Hat patched buffer overflow in a library that handles PNG images. An image exploiting that buffer overflow could be posted on hacked Web sites, and Mozilla or any other browser using standard library would download an image no questions asked. In fact, it is even more serious: other than disabling image download there is no workaround.
Yet, nothing of that sort had happened- must be related to the size of the user base. Too little- not that attractive to hackers.
Still, it is not excuse for Microsoft. They underestimated severity of a bug- and it does not matter if hackers’ Web site is closed and their malware is already recognized and stopped by any major antivirus.
The bug must be fixed. ASAP.
Yet, just blindly saying “ain’t happen anywhere else” or “if all of us switch- we are safe” is wrong. In fact, users of other browsers and OSes should not advertize their non-mainstream choice: smaller user base- less attaractive to hackers. Stay secure while obscure. Enjoy while it lasts.
The last statement of my previous post is filled with sarcasm. If you didn’t get it.
The last statement of my previous post is filled with sarcasm. If you didn’t get it.
I dodn’t, and apparently someone else didn’t either… Thanks for the clarification (?) though
“too overblown”
Lmao. You and Darius are really putting it into the “irrelevant” level huh? No Darius, the vulnerability was NOT patched. The vulnerability pointed out by Jelmer was known for quite some while: it was on Larholm site before he mysteriously shut his site down. In recent news it came in under attention again and you guessed it — no patch. Now, i already posted a theory on how this could easily be exploited and that MSIE surfers should be gladful webmasters are not Evil, however situations like these are to be expected too. Microsoft is to blame here. With their incredibly smart patch roulation and marketing they seek to raise trust yet anyone who follows the news is able to find out that’s rubbish. They keep big, important holes wide open.
Last year a similar problem happened to Interland on their IIS servers last year. They merely acknowledged that they were ‘hacked’.
Unfortunately their response to the problem was ponderous. Over 2 weeks after they were known to hacked IIS servers remained unpatched and infecting visitors to hosted websites.
At least this time it was shut down relatively quickly.
Microsoft advised users to set their browsers’ security to the highest settings, even though doing so could break some Web functionality.
Try doing this in MSIE! EVERYTHING breaks… no GMail, hell, not even Microsoft Outlook Web Access!
I used to be a fan of MSFT.. now, I think they are despicable!
The vulnerability pointed out by Jelmer was known for quite some while: it was on Larholm site before he mysteriously shut his site down. In recent news it came in under attention again and you guessed it — no patch. Now, i already posted a theory on how this could easily be exploited and that MSIE surfers should be gladful webmasters are not Evil
So I guess people who were infected by this have you and Jelmer to thank then. I know MSIE is an insecure piece of crap, but a lot of people don’t know any better, and it sure as hell don’t help when you give crackers a HowTo on how to break into people’s systems.
Is this bug bites users because browser is integrated into an OS? Not at all: a standalone browser with the same bug would be vulnerable same way.
Can you back this up? What I have seen is that these types of infections do need some level of intergration. The facts are on the wall and you really can’t change that.
Is this way of hacking computers limited to Internet Explorer and Windows?
Yes, because of the way IE and their patch system works. Pluse the heavy intergration of software.
Not at all: a short time ago Red Hat patched buffer overflow in a library that handles PNG images. An image exploiting that buffer overflow could be posted on hacked Web sites, and Mozilla or any other browser using standard library would download an image no questions asked. In fact, it is even more serious: other than disabling image download there is no workaround.
Have you ever seen a case where a Linux OS had been infected and damaged to the extent of windows? The answer to that question is no. This is because Linux, no matter what distro, takes care of their OS by making sure that there is not only a patch but also that the patch works WITHOUT breaking any kind of software. Also the exploit that you talk about is not as searious as that of windows. That is also why you do not see such a thing on other OS’es!
Yet, nothing of that sort had happened- must be related to the size of the user base. Too little- not that attractive to hackers.
Apache and Linux have the largest user base. Yet it was IIS again that has been infected and compromized.
Still, it is not excuse for Microsoft.
Yet, you are content in givin them exuses.
They underestimated severity of a bug- and it does not matter if hackers’ Web site is closed and their malware is already recognized and stopped by any major antivirus.
The bug must be fixed. ASAP.
That is correct but its more than an ‘underestimation.’ They have deliberatly gone out of their way to spread FUD and major false PR. That only leaves two explination. The fact that windows CANNOT be fixed and as far as makeing a OS is concerned, they no jack shit! So that bug ain’t going to be fixed any time soon. But as long as M$ has Fanboys that keep spinning the FUD. They’ll continue to do what is best. Sell shitty OS’es so they can be 0wn3d with ease!
Thank you M$!
Yet, just blindly saying “ain’t happen anywhere else”
It isn’t blind when it really ISN”T happening anywhere else
or “if all of us switch- we are safe” is wrong.
No staying with windows and using IE is wrong, unless you are the one that is going to make windows a target. switching is obviously the correct answer. Despite what you believe.
In fact, users of other browsers and OSes should not advertize their non-mainstream choice:
Why not, since they are more secure and supiror to IE and Windows
smaller user base- less attaractive to hackers. Stay secure while obscure. Enjoy while it lasts
Obscurity never works. That is one main reason m$ has failed. Small user base? Well like I said webservers running Apache and Linux were NOT affected yet those running IIS and windows as well as the Windows Desktop were.
Sure a worm might infect Linux/Unix but the fact remains it WILL NOT affect it as much as it will infect windows. We have more than just FUD and PR, we have evedence, facts and proof. That windows is just plain insecure no matter what version it is.
grammer troll::
Must be because I’m right!
Must be because I’m right!
Well, you’re half right anyway. Windows is horribly insecure out of the box, but nothing a little patching, an alternate browser, and a firewall can’t fix. Once properly hobbled, it’s about as secure (or not) as anything else.
I don’t get it, last few days major M.S fud about how secure ms products are when you compare to Mac osx, linux , unix, ect…… Today major security flaw ( yet again, as usual, as regular as rain) that screws up the winning 90 % of os user’s ( yes , win), and then you guy’s still claim that with some “hobbling” win can be as secure as any other????? what the flying feathers are people on? Look, I started and ran most of my life on m$ crud. i can understand propping up your decision’s to stay with the system you spent all that cash on. I can respect you guys saying we are just zealots, after all we are, alot of the time. We have , it seems, a very good reason to be a little on the zealot side…. peace of mind. No , mac’s not perfect. never will be, but i can live with the fact there’s only 5- 10% of the market share. I feel for you guys, that’s why I switched to the unix world. Got sick of the M$ B$, got sick of slow downs, spyware, and virus after virus, excuse after excuse. Oh , you don’t like it? So sorry, maybe in 4-5 years the next one will be better, more secure. hahahaha right. Time for the world to pull bill’s teat out of your mouth , and learn something new. we can always go back if it’s not as good. As they say, ” Your misery is fully refundable!!!” If windows is too remain on this bad, i don’t ever see myself going back. thanx
“So I guess people who were infected by this have you and Jelmer to thank then. I know MSIE is an insecure piece of crap, but a lot of people don’t know any better, and it sure as hell don’t help when you give crackers a HowTo on how to break into people’s systems.”
The Internet doesn’t quite work like that
in general such information isn’t censored very fast, and most of the time it is the people responsible for insecurity who are to blame.
Don’t shoot the messenger. Don’t shift responsibilities. We cannot fix the source. Only Microsoft is able to. The people who don’t know any better and who are running Windows XP have by default auto-patching on. If Microsoft released a patch, they’d be secure.
Apparently, you do not know the facts. Please learn about this specific exploit before giving your opinion. I did.
No you didn’t all you said was that if someone was using a different browser then the same thing would happen. bullshit. Its happening because of IE.
If you claim to know about this exploit then post a link to the information. You see, unlike you. I have the above posted story in itself to back me up.
If you are still not convinced, after learning about how that exploit works, please explain why would not it work if Internet Explorer were a non-integrated standalone browser.
I can’t. Can you?
Of course not. Thats because, just like the above statment. You are just pulling things out of your ass.
The patch system in Microsoft and Linux works the simialr way: a bug is found, reported, its severity estimated, and its fix priority is based on its severity.
However Linux does patch their software very quickly without having to make up a giant SP3213543464 that would end up with a infected machine.
That statement explains both embarassing Linux company web site hack because known exploit fix was not backported to 2.
4 kernel, and explains embarassing Microsoft snafu.
So you keep saying. Where is the information to this. Has a worm or virus infected Linux like this the way it has windows. NO! Because Linux is about quality not just about Marketing PR!
Your explanation does not. Well, yours just limits itself to “Microsoft sucks and browser should not be part of the OS. Why? Because!”
No you are saying why? then because. I’ve said it once and a billion times. IE is full of holes as well as windows itself.
The answer to this question is yes. Check what had happened in Stanford U.
Hint: they suggest, that the only reliable fix of the problem is to reinstall the OS, wiping out disk compeletely.
Bullshit. Where is the information on this? Stop making stuff up it makes you look idiotic and desperate.
As for PNG image problem: it is very similar to current IE issue, and even more critical if exploited. Why was not it exploited, Mr. Solaris? Obscurity explains it well.
Bullshit! Show where this bug is critical? Again just mor M$ FUD.
Same was as Linux and Solaris computers in Stanford U. were: using known vulnerabilities for which patches do exist. So, what is your point, again?
The point is that while you are stiring up wild stories I have proof that M$ is the only one here that IS a threat to security.
So that bug ain’t going to be fixed any time soon.
We are doomed.
If its M$ then yep you are!
Wrong, Mr. Expert, wrong again! A hacker has to penetrate ANY type of Web server to force that security exploit on a user. Read the facts.
I have and unlike yourself not spinning off wild stories. a hacker penetrated IIS servers to which it was redirected to russian servers.
Even then the windows desktop was the end result.
Yes, they did target IIS, it only says they run Windows box and did not bother to hack Apache.
Wait a minute didn’t you just say that they compromized Apache servers, yet look by your own admissionthey did not bother to hack apache.
If you say that hacked Apache Web server can not infect end user- you are wrong. Again.
But because i have the facts, I am right.
Correct: the worst known Windows worm infected less than 5% of Windows desktop user base.
I do not say that over a million desktops between every infection is only 5%. I say at least 75%.
How many Linux desktops is 5% of Linux desktop user base?
Nope around 25% at least! With NO infection, spyware or stability problems!
So, yuo are 100% true here: due to miniscule desktop user base the effect of Linux desktop infection is negligible. Obscurity has some benefits, my friend.
What ‘obscurity’? Like I said before. Even if Linux had the 95% desktop space as M$ IT would not be as bad as it is now JUST by the design alone.
That windows is just plain insecure no matter what version it is.
Currently yes.
Right… How many viruses, worms and spyware is running on yuor Windows computer?
Windows XP= Over 35 Spyware a month, Scanned and removed buy anti-spyware software. Worms. That depends on the out break but I have seen machines that have been infected over 500 times or more. XP seems to have taken the lead in the shop for the OS that needs the most repairs, followed by win 2k3!
I’ve worked in both a reapair and diagnostic center as well as on a typical IT staff. I can definnatly tell ya. They haven’t improved in the computing department. But Balmer has gottenm more entertaing over the years by evedence of his little monkey dance.
how many of the recent major worms or viruses have made it into a windows system with NO user intervention? what percent of viruses and worms infect a windows system with NO user intervention? What viruses will a up-to-date copy of xp or 2k get simply by being on the internet with NO applications or servers running?
The only spyware or virus I have ever gotton on my systems (2 servers and a desktop) are from dowloads that I was not 100% sure of, but ran anyways.
“how many of the recent major worms or viruses have made it into a windows system with NO user intervention?”
Loads, considering loads exploited unfixed vulnerabilities in a specific browser, a specific mail program, and a specific OS. Or do the first 2 not fall under “no user intervention”. Then it’s only the services, and those were also exploited (hint: RPC).