Yet another reason . . .

[Cronthenoob]

http://www.securityfocus.com/brief/307 I thought this was pretty interesting. They still havn't fixed it as far as I know either.People are using this as a way to install keyloggers on machines, then using their usernames and passwords. A lot of people that play World of Warcraft are clicking on seemingly harmless links in the official forums, then logging into their accounts with all of their items and money gone.

I've been researching this keylogger stuff, but no one seems to have publicly analyzed the keylogger that I can see.What I do know is that the keylogger that has been circulating infects your system after you click certain web links -- The particular extension of the links are reported to be:1. ".jpg.htm" Example: http://www.fakesite.info/fourhorsemendown.jpg.htm2. ".jpg.html" Example: http://www.fakesite.info/fourhorsemendown.jpg.html3. ".scr" Example: http://www.fakesite.info/sapphironloot.scrThose that aren't already infected should be VERY cautious when following links from the worldofwarcraft.com forums and other related gamerforums. The keylogger is reported to install itself after you click an unsuspecting link. Users have reported getting a "404" Page not Found type error, then shortly after having their account compromised.

I'm sure video game passwords aren't the only things that are being stolen.

[justsomeguy]

For all we know, links like that may be posted here as well. Anyone using IE should follow the advice that Microsoft gave a while back - since the status bar in IE can also be faked with a fake URL in it, don't click on any links. Instead, just type all URLs in yourself. Clicking is for the naive, or people who use competent browsers.Also, here is Microsoft's advisory about it, and some more information.

Currently there are thousands of sites on the web that use the Web Attacker Toolkit

Thousands of sites people, thousands of sites (you hear me Dan?)

[aspnetguy]

For all we know, links like that may be posted here as well. Anyone using IE should follow the advice that Microsoft gave a while back - since the status bar in IE can also be faked with a fake URL in it, don't click on any links. Instead, just type all URLs in yourself. Clicking is for the naive, or people who use competent browsers.Also, here is Microsoft's advisory about it, and some more information.Thousands of sites people, thousands of sites (you hear me Dan?)

But he has Spy Sweeper! It is not up to IE to prevent attacks :)

[justsomeguy]

On Secunia, this flaw is actually being reported as a Windows flaw, not an IE flaw. IE is the attack vector, but the flaw is part of Windows. The 'vulnerable' list is pretty impressive:

Microsoft Windows 2000 Advanced ServerMicrosoft Windows 2000 Datacenter ServerMicrosoft Windows 2000 ProfessionalMicrosoft Windows 2000 ServerMicrosoft Windows Server 2003 Datacenter EditionMicrosoft Windows Server 2003 Enterprise EditionMicrosoft Windows Server 2003 Standard EditionMicrosoft Windows Server 2003 Web EditionMicrosoft Windows XP Home EditionMicrosoft Windows XP Professional...This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long "fill" method inside a "rect" tag with the Internet Explorer browser.Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

Phew. It's a good thing IE is not tied to the OS or anyth.. oh wait...

The vulnerability is currently being actively exploited.The vulnerability is confirmed on a fully patched Microsoft Windows XP SP2 system. Other versions may also be affected.According to Microsoft, other unspecified vulnerabilities also exist.

Wow, thanks for the details.But wait, there's more! The same week, this advisory was also issued for IE:http://secunia.com/advisories/21910/Some highlights..

Critical: Extremely critical Impact: System accessWhere: From remoteSolution Status: UnpatchedSoftware: Microsoft Internet Explorer 6.x...Successful exploitation allows execution of arbitrary code....Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).Solution:Only allow trusted websites to run ActiveX controls.

7 little words that Microsoft hates to hear.. "Successful exploitation allows execution of arbitrary code."And since I'm Fair And Balanced™, watch out for this one as well:

Critical: Highly critical Impact: Security BypassCross Site ScriptingSpoofingDoSSystem accessWhere: From remoteSolution Status: Vendor Patch Software: Mozilla Firefox 0.xMozilla Firefox 1.x...Solution:Update to version 1.5.0.7.

[justsomeguy]

Anyone using IE should follow the advice that Microsoft gave a while back - since the status bar in IE can also be faked with a fake URL in it, don't click on any links. Instead, just type all URLs in yourself.

I forgot why I went to Secunia in the first place, I was looking for this "solution". I think it was this advisory:http://secunia.com/advisories/14304/

Solution:Never follow links from untrusted sources.

*slap forehead*The example code is there as well:

<p><a id="SPOOF" href="[malicious_site]"></a></p><div><a href="[trusted_site]"><table><caption><a href="[trusted_site]"><label for="SPOOF"><u style="cursor: pointer; color: blue">[trusted_site]</u></label></a></caption></table></a></div>

sneaky...

Solution:Disable Active Scripting or use another product.

seriously..

[aspnetguy]

So since IE is the only browser to recognize VML are all other browsers safe?

[justsomeguy]

Other browsers are safe, but not just because they don't recognize VML. The problem isn't that IE recognizes VML, the problem is that it doesn't account for the stack buffer overflow. Other browsers are pretty good about checking for buffer overflows, but I think that's probably the #1 way that exploits happen in Windows, Office, and IE.It's worth nothing that this has been patched today:http://blogs.pcworld.com/staffblog/archives/002851.html