Home » Other » Suggestions & Feedback » IE hack and spam link
IE hack and spam link [message #573766] Thu, 03 January 2013 01:45 Go to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
A 0-day bug was found in IE (version < 9.0) that leads to spam links anywhere in the page and the ability to run malicious code if you click on it like in the following page where "complete" in code was changed to a link and a popup appears when you pass over it (do NOT click on it):

./fa/10577/0/

A solution (if you can't upgrade IE or go to another browser) is to go to there and click on the following fix:

./fa/10578/0/

download the msi file and execute it.
Note: this workaround does not work for all cases of the bug.

Regards
Michel
Re: IE hack and spam link [message #573777 is a reply to message #573766] Thu, 03 January 2013 02:17 Go to previous messageGo to next message
Frank Naude
Messages: 4420
Registered: April 1998
Senior Member
Great info, thanks Michel!

I assume the offending message was deleted? Anything we can do to proactively filter it out?
Re: IE hack and spam link [message #573778 is a reply to message #573766] Thu, 03 January 2013 02:27 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
I use Opera for everyday browsing; however, we do use IE 8 at work when running our applications. However, I don't see any link ... not on "complete", not anywhere.

./fa/10579/0/
  • Attachment: 0_bug.png
    (Size: 34.22KB, Downloaded 251 times)
Re: IE hack and spam link [message #573779 is a reply to message #573777] Thu, 03 January 2013 02:29 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Actually the links are dynamic that is if you reload the page the links will be on another words.
For the moment I didn't see how to filter them out.

Regards
Michel
Re: IE hack and spam link [message #573780 is a reply to message #573778] Thu, 03 January 2013 02:34 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
As I said the links are dynamic.
See the 2 shots of your message, the first one got a link on "applications", I reload the page and the link was no more there.

./fa/10580/0/
./fa/10581/0/

Regards
Michel
  • Attachment: OraFAQ2.JPG
    (Size: 60.78KB, Downloaded 236 times)
  • Attachment: OraFAQ3.JPG
    (Size: 39.86KB, Downloaded 238 times)
Re: IE hack and spam link [message #573782 is a reply to message #573780] Thu, 03 January 2013 02:39 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
I did that, quite a few times (reloaded that page - that topic, I mean). No link, anywhere (unless I can't spot it, but that would be nonsense - who would click on something he can't see?).

So I'm wondering: is it only you (Michel) who sees it, or does someone else experience the same? Because, I don't.

What/who is the culprit? Is it that topic? Certain words in it? The whole OraFAQ site? Any page on the internet viewed with Internet Explorer (version < 9, as you say)?

Re: IE hack and spam link [message #573785 is a reply to message #573782] Thu, 03 January 2013 02:57 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Some observations:
* It is on any word except those that are already part of a link.
* It changes any time you reload the page.
* I saw it with pages in any site with Google ads (for instance, I didn't see it on OTN or tahiti but I saw it on dba-village).
* Here I saw it in all forum pages except "Home" one. I didn't see it in the Wiki part of the site.
* When there is a such link, "View source" command is disable (that is it does not return the source; this is why it is hard to find where the problem actually resides).
* It does not appear with FF
* Most important compare to you: it is IE 7 (7.0.5730.13), so maybe IE8 does not suffer from this part of the bug

The bug was reported by secuser.com site, here's the link (I have it in French, don't know if the site dynamically choose the language).

Regards
Michel

[Edit: typo]

[Updated on: Thu, 03 January 2013 03:40]

Report message to a moderator

Re: IE hack and spam link [message #573786 is a reply to message #573785] Thu, 03 January 2013 03:03 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
I see ... thank you for the information!

IE 7 is rather old now; I *think* that I might have it at home (or even IE 6) - will check it later today.
Re: IE hack and spam link [message #573796 is a reply to message #573786] Thu, 03 January 2013 04:28 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
IE 7 is rather old now


You're right, I kept it on my laptop to be compliant with one of my clients (the worst one).
Now I installed IE8 and I no more have these spam links.
Nevertheless, the bug still exists in this version and you can run some malicious code if you click on a link bomb on a site which should not happen on OraFAQ as it is then an intentional "feature" hidden in the page.
The fix is still welcome in this version.

Regards
Michel
Re: IE hack and spam link [message #573798 is a reply to message #573796] Thu, 03 January 2013 04:33 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
Michel Cadot wrote on Thu, 03 January 2013 11:28

... one of my clients (the worst one).

I'd love to hear more about that ./fa/10057/0/
Re: IE hack and spam link [message #573805 is a reply to message #573798] Thu, 03 January 2013 05:03 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Just the one which wants to keep the oldest possible version of all products. Evil or Very Mad

But I spoke too fast.
I still have from time to time the spam link, here's what I got with the answer I posted just before this one:

./fa/10583/0/

./fa/10584/0/

Why me? ./fa/1637/0/

Regards
Michel
  • Attachment: OraFAQ4.JPG
    (Size: 95.40KB, Downloaded 212 times)
  • Attachment: IE8.JPG
    (Size: 14.40KB, Downloaded 205 times)
Re: IE hack and spam link [message #573809 is a reply to message #573805] Thu, 03 January 2013 05:14 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I found the culprit: http://ajax.googleapis.com/ajax/libs/jquery/*.js
Just put it in your "untrusted" site list and everything go away.
Maybe you already have it or maybe your proxy remove/censor it.

Regards
Michel
Re: IE hack and spam link [message #573812 is a reply to message #573809] Thu, 03 January 2013 05:31 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
Well, yes, many things are under control of our administrators so this might be one of them. I reviewed IE's settings but couldn't locate "untrusted site list". There are "trusted sites" (Tools - Internet Options - Security tab), but they are grayed out (and there's the information line saying that "some settings are managed by your system administrator").

Never mind me - I never got the chance to win iPad 2 anyway. Hopefully, what you found will help someone else.
Re: IE hack and spam link [message #573820 is a reply to message #573812] Thu, 03 January 2013 06:26 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
I called it "untrusted site" but I don't know the real name; in French it is "sites sensibles" as opposite to "trusted sites" which is "sites de confiance".

I think my problem also comes that I put OraFAQ in "trusted sites" list and so JavaScripts are executed without any warning.
Anyway, I think Google is more and more agressive with its ads and I see modifying the content of the pages as really rude.

Regards
Michel
Re: IE hack and spam link [message #573952 is a reply to message #573820] Fri, 04 January 2013 09:15 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Good news for me: my provider (Free) decides to start a fight against adverts and so now blocks all adverts (including Google ones, but except, of course, on its site or on the sites of its shareholders or those in which it is itself a shareholder, like the French paper Le Monde).

A big fight that is currently reaching to the top of our government.
The points are:
1/ An internet basic principle (if not the prime one) is that a provider should be neutral and do not remove or add anything to page content.
2/ It is an attack against anyone's freedom as only the end user knows and should decide if he wants or not to have adverts.
3/ It is an attack against free sites that get money only from adverts and so put them in danger.
4/ Now it removes adverts and so there is no reason that soon it removes, for instance, X images, Muslim or Bouddhist contents, or... there is no limit if we accept this one.
For instance, I can no more support OraFAQ site by clicking on the advert at top of the pages.

Regards
Michel
Re: IE hack and spam link [message #573957 is a reply to message #573952] Fri, 04 January 2013 09:54 Go to previous messageGo to next message
Littlefoot
Messages: 19901
Registered: June 2005
Location: Croatia, Europe
Senior Member
Account Moderator
(As of me, testing older IE versions at home - I was wrong, none is left there).
Re: IE hack and spam link [message #614913 is a reply to message #573957] Wed, 28 May 2014 11:25 Go to previous messageGo to next message
Lalit Kumar B
Messages: 2544
Registered: May 2013
Location: World Wide on the Web
Senior Member
Good information Smile

I tried to check with chrome browser, didn't see such a thing. Searched google if chrome ever had it or is it vulnerable for such an attack, alas, didn't find anything. Does that mean chrome is a better option over IE? (However, my organization risk and compliance team only allows IE at office, not sure why exactly. I would like to make the risk compliance team aware of any such potential attack, what say?)
Re: IE hack and spam link [message #614914 is a reply to message #614913] Wed, 28 May 2014 11:40 Go to previous messageGo to next message
Michel Cadot
Messages: 60063
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

It is more than one year old, maybe Google does no more this, I nevertheless still keep the mentioned script blocked and only activate it when I really need it on a site.
I use NoScript, AdBlock and Ghostery to block with FF and IE. I do not trust Google and so do not use Chrome.

Re: IE hack and spam link [message #614916 is a reply to message #614914] Wed, 28 May 2014 12:16 Go to previous message
Lalit Kumar B
Messages: 2544
Registered: May 2013
Location: World Wide on the Web
Senior Member
Really good information shared by you Michel. I will share this with the risk analysis team at my organization. They might find it useful too as a precautionary step. Thanks Smile
Previous Topic: Weekly/fortnightly polls to vote
Next Topic: USERENV legacy function in SYS_CONTEXT to get language_territory.databse_characterset
Goto Forum:
  


Current Time: Sun Dec 28 19:08:17 CST 2014

Total time taken to generate the page: 0.09882 seconds