Favicons Temporarily Disabled
What are favicons?
Favicons are the small icons in tabs and beside the address bar that appear for sites.
There shouldn't be any issue on our end for displaying them on the news as it's inline, but I'm taking the precautionary stance. The primary basis is to not be downloading them to the server for now.
There shouldn't be any issue on our end for displaying them on the news as it's inline, but I'm taking the precautionary stance. The primary basis is to not be downloading them to the server for now.
---
Tell me to get back to rewriting this site so it's not horrible on mobile
SteelAttack said:What are favicons?
I disabled the favicons in Firefox. Is that all that's needed to be safe?
The issue is much broader than just the favicons, that's just a vector. The problem is in Windows shell itself (the graphical display infrastructure used for GUIs).
From my perspective, the demonstrated possibility to exploit it through favicons was the most significant known concept thus far, but it's just a symptom. There's no real workaround as it's too integral to the entire operating system (the result would be disabling ALL icon displays). Though if you worked locally in DOS and browsed the web on Lynx you'd be safe.
EDIT: Actually, there is technically the ability to replace the Windows shell with a third-party program, but it's not a nice process. Just avoid the dark places of the net, don't let random people with USB sticks near your computer, and keep patched as updates come along.
From my perspective, the demonstrated possibility to exploit it through favicons was the most significant known concept thus far, but it's just a symptom. There's no real workaround as it's too integral to the entire operating system (the result would be disabling ALL icon displays). Though if you worked locally in DOS and browsed the web on Lynx you'd be safe.
EDIT: Actually, there is technically the ability to replace the Windows shell with a third-party program, but it's not a nice process. Just avoid the dark places of the net, don't let random people with USB sticks near your computer, and keep patched as updates come along.
Edited: Sun, 25 Jul 2010 04:57:25
---
Tell me to get back to rewriting this site so it's not horrible on mobile
I never click those things.
gamingeek said:
I never click those things.
They aren't for clicking.
---
Tell me to get back to rewriting this site so it's not horrible on mobile
YODABOTS WAGE THEIR BATTLES TO DESTROY THE EVIL FORCES OF THE FAVICONS!
old 
It's so funny. It's a vulnerability with .lnk files yeah? I think they waited to exploit it until MS turned off support for 2K and XP a couple of weeks ago. Not really, no one has that much patience, but still it was good timing.
But good catch on that. I didn't even think of the use of favicons on the site.
It's so funny. It's a vulnerability with .lnk files yeah? I think they waited to exploit it until MS turned off support for 2K and XP a couple of weeks ago. Not really, no one has that much patience, but still it was good timing.
But good catch on that. I didn't even think of the use of favicons on the site.
Edited: Mon, 26 Jul 2010 00:40:52
An out-of-cycle patch was released yesterday, so make sure you've updated if you're running Windows. Note, however, that support for Windows XP SP2 is officially stopped, so you aren't getting patches anymore. Move to SP3 if you're still on XP.
---
Tell me to get back to rewriting this site so it's not horrible on mobile
Log in or Register for free to comment
Recently Spotted:
robio (32s)
Details here: http://secunia.com/advisories/22159/
---
Tell me to get back to rewriting this site so it's not horrible on mobile