I Debug, Therefore I Exist


Tag Line

New Internet Explorer Exploit

It was reported on the 11th of February on Heise-Online that a new exploit was found for Windows users running any version of Internet Explorer.

As usual, the nature of the exploit is related to Microsoft trying to soften web standards, in order to make the web a “friendlier” place for everyone. I wish someone would explain to Microsoft that the job of a web browser is to take a bunch of semantic code and render it. It’s not supposed to think on behalf of the user or the developer. I suspect the decision (way back when) to add this “feature” was made by non-tech literate managers, to whom an image is an image (“Who cares about formats! I don’t want to see web pages break or act funny… just make it work the way I want it to“). Ultimately, poor decisions coming from a company as predominant to the lives of most people as Microsoft is – a company, who knew that releasing a web browser by default on their operating system, would amount to an instant grab of 80-90% of the browser market (although, fortunately, this is no longer the case) – causes more headaches for everyone in the long run.

At the end of the day, this makes life more difficult for:

  • developers having to apply fixes in their increasingly hacked code and feel constantly paranoid
  • users end up having more of their systems compromised by clever black hats (that’s what the rest of you would call ‘hackers’, although this is a false use of the term)
  • and for Microsoft, who ends up having to layer patch on top of patch – not only to fix the original problem, but to fix the mess it created (meaning an endless supply of patches, which users eventually will ignore, because they see them so often that they become apathetic).

Ok, well, rant aside… this new exploit has to do with images. If you are using Internet Explorer (and if you are, you should really consider downloading Firefox or some other alternative instead), this exploit allows hackers to inject JavaScript into images, which is then run on your system in your browser.

This may seem harmless to you, but consider this: If a malicious coder uploads a profile image to some forum or some other site, which does not filter the image (ie. run it through ImageMagick or some other image processor), then they can embed JavaScript into the image. When you load the page, Internet Explorer then loads in all the elements on the page (HTML, CSS, JavaScript, Flash, etc) and when IE loads in one of these nasty images, IE instead runs the code in them. If you are still wondering why this is bad? Because this allows these malicious users to control your browser in some unexpected ways, such as giving them the ability to steal your cookies. If you are yet still wondering why this is a bad thing: this gives those malicious users the ability to login into your account, view your personal information, change it, steal it, pretend to be you or even lock you out of your own account.

I hope you realize by now how bad this exploit can be.

I tested this exploit on Microsoft Internet Explorer 6 & 7, Mozilla Firefox 3.0, Opera 9.6 and Google Chrome. I can confirm that this exploit affects only Internet Explorer 6 & 7. None of the others had this problem. I haven’t tested IE 8, but I would be surprised if it were any different until Microsoft decides to patch it (if they ever do).

As always, if you want to stay secure:

  1. Don’t use Internet Explorer. Install Firefox instead.
  2. Install NoScript. It may make your internet surfing a bit more painful at times, but the security implications are far more worth it than the annoyance it can cause. Remember, you always have to compromise between ease-of-use and security. You can’t have your cake and eat it too.
  3. If you absolutely have to run any version of Windows, instead of the more secure alternatives (Apple Mac OS X, Ubuntu or other flavors of Linux), make sure you keep your system up-to-date as soon as you are notified of something. Don’t think you just need to keep your operating system up-to-date. You need to make sure your other software is also up-to-date as well.
  4. Make sure you run your computer behind a router (NAT router, specifically. Good home routers are quite cheap these days. Even those under $50 would be sufficient). This protects you against remote execution vulnerabilities, such as the recent Conficker, because your computer will be hidden behind a router, which does not provide any direct route for people to access your computer unless it somehow expects it. This shields you largely form malicious people scanning the internet for vulnerable computers. If your computer is connected directly to your internet modem, you are asking for trouble.
  5. Maintain a “Trust No One” frame of mind, while connected to the internet. Don’t trust anyone or any site unless you can establish a reasonable degree of trust.
  6. Some of you will say, “What about a firewall or anti-virus?” If you are a Windows user, the unfortunate reality is that an anti-virus application is absolutley necessary, so give AVG or ClamWin a go. They are both free (although AVG is only free for personal use). I recommend you install both. And, as for firewalls: it can’t hurt to have a firewall installed, but, ultimately, if you follow steps 1-5 above, it will be highly unlikely you will ever need one, unless you run a big network with lots of computers and users. If you are maintaining your own home network with few computers, then there isn’t too much benefit.

Well, I hope you got something out of this security alert.

If you have any questions, just leave a comment. Good luck.


Filed under: Security


July 2018
« Jul