Microsoft 24 hours late with IE8 pwn protection
Just one day after a little-known hacker dazzled his peers by exploiting the latest version of Internet Explorer 8 beta, Microsoft added an important protection to the browser that probably would have prevented the attack. The measure, which was added to last Thursday's final release of IE8, restores so-called ASLR, or address …
A Microcrap product with security vulnerabilities? Wow. That's first.
Nobody in this world knows or has written all the lines of code that run on their computer. It's trust that allows me to put sensitive information on my computer. Trust that Microsoft isn't recording my keystrokes, trust that my girlfriend hasn't remotely reprogrammed my computer to report on my precious porn collection. Trust that China doesn't routinely hide malware on all computer chips made there and shipped abroad.
So anyone that puts sensitive data on a net connected system will inevitably face the prospect of hackers sharing their secrets. There's even anti-virus for mobile phones now. Scared yet?
I've got the best story though. I saw a microwave oven whose chips had been hacked so that it showed a bomb-threat message on it's screen. Now that's hacking...
(Paris because she would have only the most exclusive viruses.)
10/10 to MS for consistency. Like we didn't expect it. ..... Duh....
IE is old news, 7 or 8 or 9 or 10 they will still be doing the same old same old.
On the flip side, what browser is without vulns? I dunno, Well done to the hacker for highlighting it for all our benefits is what I say instead of keeping it quiet!
So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1.
This is marketing.
"We got sunk at the contest, but it's not a problem because we've got a new update" - ONE OF THE BLOODY MILLIONS YOU'VE HAD THIS YEAR.
There is no, nil, nada (etc) guarantee that that update would turn the browser into something safer, even if we assume for a moment it hasn't introduced another vulnerability instead (also not exactly a new event with MS patches).
If we're speculating without proof I go with current track record, which speaks very much against the assumption of MS delivering anything safe.
Fact: IE got taken apart quickly. So was Safari. So will be others. Show me facts, don't show me BS because we've had that since Windows was "incompatible" with other DOS.
The operative word is not "would", it's "might".
You will have to explain that. As far as I knew, DEP works with Windows XP on any DEP processor. What has changed?
read the arcticle properly before going "haha MS released a product with the bug", the article states that they added the protection for the feature 1 day after (for a start they would not be able to patch it in 1 day, so the patch would have ralready been in development), oh and the headline is misleading a bit as the article states that it was fixed FOR THE RELEASE, the guy managed to hit the unpatched IE 8 beta.
Nothing to see here except the kind of journalism that is normally seen in the daily mail.
"So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1."
It wasn't that ASLR/DEP wasn't turned on - it was that the specific exploit wasn't fixed until the RTM version. Read the blog post for more on that. And it's worth remebering that it was a BETA version of IE8 - an incomplete version. The RTM version of IE8 had this fix from when it was released.
"A Microcrap product with security vulnerabilities? Wow. That's first."
Actually, this article is about how IE8 RTM is currently thought to be one of the most secure browsers available. It's worth remebering that the only browser that wasn't exploited is Chrome - yes, that means that even the mighty Firefox fell. So, what you should have said was "Microcrap, Bugzilla and Crapple products with security vulnerabilities? Wow. That's first."
"one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7" or use a Linux machine presumably.
Didn't you do reading comprehension at school? The beta (which didn't have the ASLR/DEP) was exploited. The official release has these features in. The fact that there was a day between the beta being exploited and the final version is released is irrelevant really, and only included in the article for dramatic effect. Beta bad, final better (in this respect at least).
http://www.opera.com/docs/changelogs/windows/964/
"it means one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7"
I think you mean:
"it means one of the safer ways to browse the internet *using Microsoft software* is by using IE8 on Vista or Windows 7"
How dull....
Oh look security holes in Firefox as well....now go back to school, PE's is just about to start, you'll need to hand in your note from mommy, why you need to be excused.
Note to trolls
They exploited a BETA. Whoopee F**king dooo
How is a final release a beta?
I thought only google could get away with that!
...oh so predicatable Microsoft bashing from people who either use their software, or think you should have to pay for a platform SDK...
"A Microcrap product with security vulnerabilities? Wow. That's first." - Lowest form of wit mate.
I'm fed up with this inane Microsoft bashing, none of the cliche posts ever come with any useful or pertinant information, they're just dull assertions that MS makes bad software, backed up by forth hand heresay.
It's like taking the piss out of George Bush's intellect (which I refuse to do), it's become something that stupid people do to make themselves feel cleverer.
I use Microsoft software daily (there i'm outed!), their development tools alone are absolutely top class, and anybody who has ever worked on a development project larger than your grotty little blog should have a real appreciation for quite what a large scale operation the Windows development must be.
Oh, here it is!
IE8 on windows 7 is currently the most secure browser, whereas Safari on OSX is currently the least.
I actually met a woman last week who still believed she didn't need antivirus protection on her mac. Oh, how I laughed.
Alas, since the mac is aimed at the opposable digit lacking market, people like this are rampant. The only reason there aren't more macs in the botnets is down to numbers. Hackers building botnets don't aim for niche markets.
Now, if stevie boy were to bring his hardware prices down by about 35% so you actually got what you paid for, that may change...
"A Microcrap product with security vulnerabilities? Wow. That's first."
Was that predictable pop at MS really worth the effort you took to type it, or more importantly the time we're all going to waste reading it?
Grow up and post something new and interesting, or just don't bother ok?
It's all relative I suppose but I still think this is misleading. I wouldn't say that some process was 'one of the safer ways to do X' just because one or two more dangerous methods existed.
"So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1."
that's not what the article said
the article said the security wasn't in the beta (which was what was targeted during pwn2own) but was present in the final release.
@danny
guy, please read the article correctly....it was the beta version/release candidate that was hacked and the actual released version that had the protection in it came out the next day. it seems the article's heading threw yoi to just mke a comment without knowing what you're comment on. next time read.
They merely make it less likely that a hole can be used to run code rather than merely crash. That's reason enough to use them (strength in depth) but unless MS have also patched the hole that let someone poke the executable code into an area of memory and then jump to it, the hole is still there. It just needs more work to exploit. Rest assured that people are working on that.
The title of this article is fairly rediculous.
The browser that was exploited last Wednesday was IE8 RC, not RTW.
So Microsoft fixed what sounds like a complicated vulnerability in the RTW final version, is this really worthy of saying they were 'late' in doing so? Is it not true they would have been late if they hadn't bothered to fix it for a few months after RTW was released?
""one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7" or use a Linux machine presumably."
A few years ago the Apple camp was saying exactly the same (with 'Linux machine' changed to 'Mac'). *Every* system and *every* browser is vulnerable. The only ptotection is having a team of devs who are willing to act fast to patch vulnerabilities as they are found. MS have shown that the 0-day vuln exploited by Nils didn't last 24 hours, which is more than Apple has done with Safari, or Mozilla with FF.
That's the only thing that counts. Thinking you're safe because you use Linux or Opera is just hiding your head in the sand.
EdwardP: "what a large scale operation the Windows development must be"
Two questions:
1. Precisely what has the world gained from the inflation of Windows from the 6 or 7 floppies Win3.1 was installed from to the DVD Vista uses?
2. What would be the effect on these many security bugs if Windows was running using a tagged architecture like the Unisys (nee Burroughs) large systems? For the benefit of those unfamiliar with this architecture, a reminder that the angel with the flaming sword at the gate of Eden was an operator issuing the MC command "make compiler" which in turn enabled a compiled program to mark its output as executable code. If you executed a program compiled on an altered compiler, it would be capable of doing anything.
To question (1) I offer the following as among the answers: (a) Unicode-aware system and apps and (b) the extraordinarily complex browsers and web pages of today, far beyond anything foreseen with Netscape 1 (c) the bloating of the MS Windows programming team to the point it is out of control.
Other answers?
@Psymon, if you honestly believe that the only reason that Macs and *nix machines have only a handful of viruses compared to the huge Windows malware database is because of the numbers involved, then a little research is in order. And not merely from Steve Balmer-approved sources.
I suspect, however, that you already know that your claims are facile and that you are simply being a Troll.
"....I'm just not smart enough to figure out...."
At least that part of your post is true. I shall refrain from explaining why as at least half a dozen people have already done so.
So, this "news" is that some script kiddy exploited a vulnerability in a beta which MS were already aware of and had already coded the fix for (we can assume that as the full release the following day already had the fix - too soon for it to be a reaction to the hack)? I mean, I'm not a great fan of Microsoft but it does seem somewhat like a fuss about nothing.
Come on people, the flaw was in the beta version, the final release had measured that would have prevented the hack.
Oh and of course we all know that IE is the only browser that has ever had any security problems, oh no wait, Safari, Firefox, Chrome, Opera and every other browser out there is not water tight. Writing water tight code in something as complex and interactive as a browser is all but impossible, thankfully all the companies who release browsers regularly patch them to ensure security vulnerabilities are fixed.
It does get a little tiresome when people jump on the Microsoft is shit bandwagon time after time, without any balance. Microsoft = Shit. Apple, Mozilla, et all = wonderful software. It’s just not living in the real world.
Sign up, sign up for The Register's weekly IT security newsletter - click here
