[News] [Rival] "Huge Security Problem in Internet Explorer" (All Versions Affected) - Linux

This is a discussion on [News] [Rival] "Huge Security Problem in Internet Explorer" (All Versions Affected) - Linux ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ghostly threat to Internet Explorer users ,----[ Quote ] | Microsoft certainly never imagined anything like this. A talk given behind | closed doors at the Microsoft BlueHat Security Briefing revealed a huge | ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [News] [Rival] "Huge Security Problem in Internet Explorer" (All Versions Affected)

  1. [News] [Rival] "Huge Security Problem in Internet Explorer" (All Versions Affected)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Ghostly threat to Internet Explorer users

    ,----[ Quote ]
    | Microsoft certainly never imagined anything like this. A talk given behind
    | closed doors at the Microsoft BlueHat Security Briefing revealed a huge
    | security problem in Internet Explorer. Presenter Manuel Caballero
    | demonstrated a far-reaching espionage tool that can trap users who are merely
    | visiting a web site. His spooky summary read: "Do you believe in ghosts?
    | Imagine an invisible script that silently follows you while you surf – even
    | after changing the URL 1,000 times. And this ghost is able to see everything
    | you do, including what you are surfing and what you are typing (passwords
    | included), and even guess your next move."
    |
    | [...]
    |
    | Eduardo Vela demonstrates that even Microsoft's new browser generations are
    | not immune to such problems. He found out that, in order to circumvent
    | protective measures when accessing location, all you need do is make a string
    | look unlike a string. He used this approach to implement a simple demo with a
    | primitive keylogger that he claims also works with IE7 and the beta versions
    | of IE8. And sure enough, after we went to his demo URL in Internet Explorer 7
    | on a test system, his code persistently followed us across many sites and
    | snooped on what we were doing. Even after we typed in a heise URL by hand and
    | went to it, his "Caballero Listener" picked up all our keyboard input and
    | displayed it in a stolen IFrame.
    `----

    http://www.heise.de/english/newstick...181/from/rss09


    Related

    Microsoft : Arrogance leads to Vulnerability

    ,----[ Quote ]
    | Chatting with the Microsoft senior sales people, I was struck by
    | their incredible arrogance. They know the company's products are good,
    | but they have no qualms whatsoever about charging top dollar as a
    | result.
    |
    | It reminds us how Microsoft used to behave when it comes to their
    | products' security records. IE5 and 6 were nothing short of being
    | proper Swiss Cheese with loads of holes in them but hey, they had 95%
    | of the browser market at that time and couldn't care less.
    `----

    http://securityblog.itproportal.com/?p=514
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFIaLL6U4xAY3RXLo4RAmeIAJ95Bc6RL4Yfvaegju1fFP aa3grMDgCeNv5s
    kWcgKNO16+mES2y7yUNAecw=
    =GiW4
    -----END PGP SIGNATURE-----

  2. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    On Mon, 30 Jun 2008 11:18:34 +0100, Roy Schestowitz wrote:

    >| after changing the URL 1,000 times. And this ghost is able to see everything
    >| you do, including what you are surfing and what you are typing (passwords
    >| included), and even guess your next move."
    >
    > http://www.heise.de/english/newstick...181/from/rss09


    From the link:

    "Whether changing over to alternative browsers such as Firefox gives any
    real protection is still to be shown. Security expert Nate McFeters has
    seen the original "ghosts" presentation and claims in his blog that the
    problem affects all browsers. "

  3. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    On 2008-06-30, Erik Funkenbusch claimed:
    > On Mon, 30 Jun 2008 11:18:34 +0100, Roy Schestowitz wrote:
    >
    >>| after changing the URL 1,000 times. And this ghost is able to see everything
    >>| you do, including what you are surfing and what you are typing (passwords
    >>| included), and even guess your next move."
    >>
    >> http://www.heise.de/english/newstick...181/from/rss09

    >
    > From the link:
    >
    > "Whether changing over to alternative browsers such as Firefox gives any
    > real protection is still to be shown. Security expert Nate McFeters has
    > seen the original "ghosts" presentation and claims in his blog that the
    > problem affects all browsers. "


    Also from the link:

    If you take into account that hundreds of thousands of sites are
    compromised right now, the implication is that you'd better not use
    Internet Explorer to visit any more important sites.

    And, from the part you left off of the paragraph you added:

    We can however safely assume that a combination of Firefox with the
    NoScript add-on offers reduced exposure to such attacks.

    If IE could use something like NoScript, it might stand /some/ chance.
    It can't, so it doesn't.

    Firefox /can/ use it. I know because I've had it installed for a long
    time. We can "safely assume" we're faced with reduced exposure, those
    of us who use it.

    Use IE and you can "safely assume" you're being owned in yet another
    way several times every day.

    Nice to know. I use IE for two things: to get mail at work, and to
    connect to an internal Citrix server for some work-related things.

    --
    "Ironically, Microsoft's efforts to deny interoperability of Windows
    with legitimate non-Microsoft applications have created an environment
    in which Microsoft's programs interoperate efficiently only with Internet
    viruses." -- Dan Geer.
    ---- Posted via Pronews.com - Premium Corporate Usenet News Provider ----
    http://www.pronews.com offers corporate packages that have access to 100,000+ newsgroups

  4. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    On 2008-07-01, Sinister Midget claimed:

    > Nice to know. I use IE for two things: to get mail at work, and to
    > connect to an internal Citrix server for some work-related things.


    The Citrix link woiks in Firefox. There goes IE for one thing.

    Once I can get logged into the network over linux (which I plan on
    starting to work out in earnest now that I don't need IE), there's goes
    Windross, too. Evolution or TBird shouldn't be too much trouble after
    that.

    --
    Yesterday it worked.
    Today it is not working.
    Windows is like that.
    ---- Posted via Pronews.com - Premium Corporate Usenet News Provider ----
    http://www.pronews.com offers corporate packages that have access to 100,000+ newsgroups

  5. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    * Sinister Midget peremptorily fired off this memo:

    > On 2008-07-01, Sinister Midget claimed:
    >
    >> Nice to know. I use IE for two things: to get mail at work, and to
    >> connect to an internal Citrix server for some work-related things.

    >
    > The Citrix link woiks in Firefox. There goes IE for one thing.
    >
    > Once I can get logged into the network over linux (which I plan on
    > starting to work out in earnest now that I don't need IE), there's goes
    > Windross, too. Evolution or TBird shouldn't be too much trouble after
    > that.


    The problem I had with Evolution was that the only place to get our
    "certificates" from was Verisign. Those assholes require ActiveX to
    access the software. So I had to use a virtual Billybox to get the
    certificate, then use Outlook Anal Express to extract the certifcate.

    So I guess it wasn't really a problem with Evolution after all, but with
    the cancerous intrusion of one proprietary company's closed technology
    into what should have been the open process of obtaining credentials for
    my e-mailings.

    Microsoft -- making things difficult for others to force you to use
    their platform.

    --
    You will pass away very quickly.

  6. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    Linonut wrote:

    > The problem I had with Evolution was that the only place to get our
    > "certificates" from was Verisign. Those assholes require ActiveX to
    > access the software. So I had to use a virtual Billybox to get the
    > certificate, then use Outlook Anal Express to extract the certifcate.
    >
    > So I guess it wasn't really a problem with Evolution after all, but
    > with the cancerous intrusion of one proprietary company's closed
    > technology into what should have been the open process of obtaining
    > credentials for my e-mailings.
    >
    > Microsoft -- making things difficult for others to force you to use
    > their platform.


    So Verisign required MS technology, but it's MS making things difficult?


    Signed, Linonut
    Top Tier Idiot
    Windows Developer For Life




  7. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All VersionsAffected)

    Linonut wrote:
    > * Sinister Midget peremptorily fired off this memo:
    >
    >> On 2008-07-01, Sinister Midget claimed:
    >>
    >>> Nice to know. I use IE for two things: to get mail at work, and to
    >>> connect to an internal Citrix server for some work-related things.

    >> The Citrix link woiks in Firefox. There goes IE for one thing.
    >>
    >> Once I can get logged into the network over linux (which I plan on
    >> starting to work out in earnest now that I don't need IE), there's goes
    >> Windross, too. Evolution or TBird shouldn't be too much trouble after
    >> that.

    >
    > The problem I had with Evolution was that the only place to get our
    > "certificates" from was Verisign. Those assholes require ActiveX to
    > access the software. So I had to use a virtual Billybox to get the
    > certificate, then use Outlook Anal Express to extract the certifcate.


    "virtual Billybox" lol! I always preferred "Spoutchuck Distress" for the
    other one.

  8. Re: [News] [Rival] "Huge Security in Roy Schestowitz" (All Versions Affected)

    * Sinister Midget peremptorily fired off this memo:

    > On 2008-07-02, Linonut claimed:
    >
    >> Microsoft -- making things difficult for others to force you to use
    >> their platform.

    >
    > And they /still/ have increasing trouble shoving it down people's
    > throats.


    Just think how /close/ we came to having nothing but Windows.

    What a bleak "outlook" .

    --
    Are we on STRIKE yet?

+ Reply to Thread