IE Exploit, Windows 1.0 anniversary (and Big Bird's days numbered?)

In today's IT Blogwatch, we look at the latest IE exploit and celebrate the anniversary of Windows 1.0. And are Big Bird's days numbered?

Yawn ... another day, another Microsoft IE exploit.  Brian Krebs writes "I'm still wading through the code to figure out exactly what this bugger does, but it appears to exploit a vulnerable, unpatched component of Javascript in IE to run any program residing on the victim's system. Assuming this code works, I'm afraid that we will very soon see Web sites using it to install spyware, adware or viruses on visiting PCs. Until Microsoft issues some sort of workaround or patch, I would recommend anyone using IE to switch browsers. Now would be an excellent time to give another browser a whirl, such as Firefox, Opera or Netscape."  Update: "Microsoft says it is investigating reports of a vulnerability in IE for customers running Windows 2000 Service Pack 4, and for Windows XP users running Service Pack 2. Microsoft said customers running Windows Server 2003 and Windows Server 2003 SP1 in their default configurations, with the Enhanced Security Configuration turned on are not affected."

» Robert McMillan, IDG News Service:   "Security experts are warning Internet users to be careful where they click, thanks to a nasty unpatched bug in the way Microsoft Corp.'s Internet Explorer browser handles the JavaScript computer language. The bug is of particular concern because security researchers in the U.K. have now published "proof of concept" code showing how hackers could exploit the problem and possibly take over a Windows system. Users would need to be tricked into clicking on a Web link in order to launch the malicious code, [Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust Inc.] said. But once that was done, it could set up a chain of events that could ultimately let a hacker gain control of the user's system, he said.  All users of Internet Explorer version 5.5 and 6.x are affected by the vulnerability, Computer Terrorism said. The problem is serious enough that Cooper believes that Microsoft will patch Internet Explorer in advance of its next monthly security update, which is scheduled to occur Dec. 13."

» Johannes Ullrich, Handler's Diary:  "The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML <body> tag, and is used to execute javascript as the page loads.  The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code. ... Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only."

» Avery J. Parker:  "It is noted by incidents that future javascript vulnerabilities could be found that affect other browsers such as firefox. As always keep current on updates and it pays to tune into a site such as the securityfix or Incidents.org ... I’m seeing reports of the exploit code causing browser crashes, so it may be that it’s not 100% 'effective' at the remote software execution.

Now we'll turn the clock back to simpler times, when Microsoft didn't have to deal with these types of exploits.  Marc Perton, Downloadsquad  "Believe it or not, it's exactly 20 years since Microsoft released Windows 1.0. And, although the company is being fairly low-key in its celebrations of the event (except in Japan), I think it's worth commemorating."  He goes on in his article to list 20 facts and features of the 1.0 release.  One of them was MS DOS Executive -- younger readers may wonder "What's that?" but many fellow baby boomers in IT will remember (but maybe not admit it). And then there's this prediction, from PC World: "Windows 'provides a simple, powerful, and inexpensive user interface that works with most popular programs. That alone is enough to guarantee consumer support to make it the de facto standard of the personal computer market.' The magazine was right, of course, though its prediction took several years to come true."

» Harry McCracken:  "Okay, I'm caving...let's celebrate the 20th anniversary of Windows. What follows is "Microsoft Does Windows," a January 1984 article that's the first in-depth article PC World ever did on what was then a humble DOS add-on."

Buffer overflow:

• Scobleizer:  Microsoft standardizes Office formats - Jean Pauoli interview
• Niall Kennedy:  Microsoft announces SImple Sharing Extensions
• Dwight:  Texas AG sues Sony/BMG over rootkit
• Om Malik:  Skype's Risky Retail Strategy
• Richard MacManus:  The Second Coming of Content and RSS Feeds
• Ars Technica: Dell to try AMD
• Dealing With Darwin: Renovating
• Techdirt: Investor "Demands" Palm Raise Stock Price
• Techdirt: Anti-Virus Firm Admits Current Methods Can't Catch Things Like Sony's Rootkit
• Marian Prokop: Sony Pictures completes first Blu-ray movie
• Mitch Betts: Telecommuting may be the answer...
• Douglas Schweitzer: Set some ground rules before allowing employee blogging
• Martin MC Brown: Big brother by the back door

And finally...  Are Big Bird's days numbered?

He's gone again...  Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Also contributing (mostly) to today's post: Judi Dey, our very own Antipodean.