back to article Microsoft 24 hours late with IE8 pwn protection

Just one day after a little-known hacker dazzled his peers by exploiting the latest version of Internet Explorer 8 beta, Microsoft added an important protection to the browser that probably would have prevented the attack. The measure, which was added to last Thursday's final release of IE8, restores so-called ASLR, or address …

COMMENTS

This topic is closed for new posts.
Linux

What?

A Microcrap product with security vulnerabilities? Wow. That's first.

0
0
Paris Hilton

My chips are sacred...

Nobody in this world knows or has written all the lines of code that run on their computer. It's trust that allows me to put sensitive information on my computer. Trust that Microsoft isn't recording my keystrokes, trust that my girlfriend hasn't remotely reprogrammed my computer to report on my precious porn collection. Trust that China doesn't routinely hide malware on all computer chips made there and shipped abroad.

So anyone that puts sensitive data on a net connected system will inevitably face the prospect of hackers sharing their secrets. There's even anti-virus for mobile phones now. Scared yet?

I've got the best story though. I saw a microwave oven whose chips had been hacked so that it showed a bomb-threat message on it's screen. Now that's hacking...

(Paris because she would have only the most exclusive viruses.)

0
0
Coat

Like we didnt see this coming?

10/10 to MS for consistency. Like we didn't expect it. ..... Duh....

IE is old news, 7 or 8 or 9 or 10 they will still be doing the same old same old.

On the flip side, what browser is without vulns? I dunno, Well done to the hacker for highlighting it for all our benefits is what I say instead of keeping it quiet!

0
0

Forgot the chocolate chips

So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1.

0
0
Gold badge

I don't buy it

This is marketing.

"We got sunk at the contest, but it's not a problem because we've got a new update" - ONE OF THE BLOODY MILLIONS YOU'VE HAD THIS YEAR.

There is no, nil, nada (etc) guarantee that that update would turn the browser into something safer, even if we assume for a moment it hasn't introduced another vulnerability instead (also not exactly a new event with MS patches).

If we're speculating without proof I go with current track record, which speaks very much against the assumption of MS delivering anything safe.

Fact: IE got taken apart quickly. So was Safari. So will be others. Show me facts, don't show me BS because we've had that since Windows was "incompatible" with other DOS.

The operative word is not "would", it's "might".

0
0
Bronze badge

DEP only on Vista and 7?

You will have to explain that. As far as I knew, DEP works with Windows XP on any DEP processor. What has changed?

0
0
Anonymous Coward

errr people

read the arcticle properly before going "haha MS released a product with the bug", the article states that they added the protection for the feature 1 day after (for a start they would not be able to patch it in 1 day, so the patch would have ralready been in development), oh and the headline is misleading a bit as the article states that it was fixed FOR THE RELEASE, the guy managed to hit the unpatched IE 8 beta.

Nothing to see here except the kind of journalism that is normally seen in the daily mail.

0
0
Gates Halo

RTFA

"So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1."

It wasn't that ASLR/DEP wasn't turned on - it was that the specific exploit wasn't fixed until the RTM version. Read the blog post for more on that. And it's worth remebering that it was a BETA version of IE8 - an incomplete version. The RTM version of IE8 had this fix from when it was released.

"A Microcrap product with security vulnerabilities? Wow. That's first."

Actually, this article is about how IE8 RTM is currently thought to be one of the most secure browsers available. It's worth remebering that the only browser that wasn't exploited is Chrome - yes, that means that even the mighty Firefox fell. So, what you should have said was "Microcrap, Bugzilla and Crapple products with security vulnerabilities? Wow. That's first."

0
0
Happy

Obligatory Linux comment

"one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7" or use a Linux machine presumably.

0
0
Thumb Down

@danny_0x98

Didn't you do reading comprehension at school? The beta (which didn't have the ASLR/DEP) was exploited. The official release has these features in. The fact that there was a day between the beta being exploited and the final version is released is irrelevant really, and only included in the article for dramatic effect. Beta bad, final better (in this respect at least).

0
0

Meh, Opera already has DEP and ASR...

http://www.opera.com/docs/changelogs/windows/964/

0
0
Linux

Umm...

"it means one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7"

I think you mean:

"it means one of the safer ways to browse the internet *using Microsoft software* is by using IE8 on Vista or Windows 7"

0
0
Flame

@Ac...What?

How dull....

Oh look security holes in Firefox as well....now go back to school, PE's is just about to start, you'll need to hand in your note from mommy, why you need to be excused.

Note to trolls

They exploited a BETA. Whoopee F**king dooo

0
0

IE8 Beta

How is a final release a beta?

I thought only google could get away with that!

0
0
Flame

Cue the...

...oh so predicatable Microsoft bashing from people who either use their software, or think you should have to pay for a platform SDK...

"A Microcrap product with security vulnerabilities? Wow. That's first." - Lowest form of wit mate.

I'm fed up with this inane Microsoft bashing, none of the cliche posts ever come with any useful or pertinant information, they're just dull assertions that MS makes bad software, backed up by forth hand heresay.

It's like taking the piss out of George Bush's intellect (which I refuse to do), it's become something that stupid people do to make themselves feel cleverer.

I use Microsoft software daily (there i'm outed!), their development tools alone are absolutely top class, and anybody who has ever worked on a development project larger than your grotty little blog should have a real appreciation for quite what a large scale operation the Windows development must be.

0
0

where's my bag of troll fodder?

Oh, here it is!

IE8 on windows 7 is currently the most secure browser, whereas Safari on OSX is currently the least.

I actually met a woman last week who still believed she didn't need antivirus protection on her mac. Oh, how I laughed.

Alas, since the mac is aimed at the opposable digit lacking market, people like this are rampant. The only reason there aren't more macs in the botnets is down to numbers. Hackers building botnets don't aim for niche markets.

Now, if stevie boy were to bring his hardware prices down by about 35% so you actually got what you paid for, that may change...

0
0
Stop

@ What?

"A Microcrap product with security vulnerabilities? Wow. That's first."

Was that predictable pop at MS really worth the effort you took to type it, or more importantly the time we're all going to waste reading it?

Grow up and post something new and interesting, or just don't bother ok?

0
0
Anonymous Coward

"one of the safer ways to browse the internet is by using IE8 on Vista"

It's all relative I suppose but I still think this is misleading. I wouldn't say that some process was 'one of the safer ways to do X' just because one or two more dangerous methods existed.

0
0

@danny_0x98

"So, IE8 was being rolled out in Beta (and released on Thursday) and they didn't include the ASLR/DEP until the day after? I mean I do believe it, I'm just not smart enough to figure out why the security gets added on D-Day plus 1."

that's not what the article said

the article said the security wasn't in the beta (which was what was targeted during pwn2own) but was present in the final release.

0
0

danny get real

@danny

guy, please read the article correctly....it was the beta version/release candidate that was hacked and the actual released version that had the protection in it came out the next day. it seems the article's heading threw yoi to just mke a comment without knowing what you're comment on. next time read.

0
0
Gold badge

ASLR and DEP don't *fix* anything

They merely make it less likely that a hole can be used to run code rather than merely crash. That's reason enough to use them (strength in depth) but unless MS have also patched the hole that let someone poke the executable code into an area of memory and then jump to it, the hole is still there. It just needs more work to exploit. Rest assured that people are working on that.

0
0
Stop

Odd choice of title...

The title of this article is fairly rediculous.

The browser that was exploited last Wednesday was IE8 RC, not RTW.

So Microsoft fixed what sounds like a complicated vulnerability in the RTW final version, is this really worthy of saying they were 'late' in doing so? Is it not true they would have been late if they hadn't bothered to fix it for a few months after RTW was released?

0
0
Gates Halo

DayJarVoo

""one of the safer ways to browse the internet is by using IE8 on Vista or Windows 7" or use a Linux machine presumably."

A few years ago the Apple camp was saying exactly the same (with 'Linux machine' changed to 'Mac'). *Every* system and *every* browser is vulnerable. The only ptotection is having a team of devs who are willing to act fast to patch vulnerabilities as they are found. MS have shown that the 0-day vuln exploited by Nils didn't last 24 hours, which is more than Apple has done with Safari, or Mozilla with FF.

That's the only thing that counts. Thinking you're safe because you use Linux or Opera is just hiding your head in the sand.

0
0
RW
IT Angle

What I wonder (@ EdwardP)

EdwardP: "what a large scale operation the Windows development must be"

Two questions:

1. Precisely what has the world gained from the inflation of Windows from the 6 or 7 floppies Win3.1 was installed from to the DVD Vista uses?

2. What would be the effect on these many security bugs if Windows was running using a tagged architecture like the Unisys (nee Burroughs) large systems? For the benefit of those unfamiliar with this architecture, a reminder that the angel with the flaming sword at the gate of Eden was an operator issuing the MC command "make compiler" which in turn enabled a compiled program to mark its output as executable code. If you executed a program compiled on an altered compiler, it would be capable of doing anything.

To question (1) I offer the following as among the answers: (a) Unicode-aware system and apps and (b) the extraordinarily complex browsers and web pages of today, far beyond anything foreseen with Netscape 1 (c) the bloating of the MS Windows programming team to the point it is out of control.

Other answers?

0
0

Troll Fodder

@Psymon, if you honestly believe that the only reason that Macs and *nix machines have only a handful of viruses compared to the huge Windows malware database is because of the numbers involved, then a little research is in order. And not merely from Steve Balmer-approved sources.

I suspect, however, that you already know that your claims are facile and that you are simply being a Troll.

0
0

@danny_0x98

"....I'm just not smart enough to figure out...."

At least that part of your post is true. I shall refrain from explaining why as at least half a dozen people have already done so.

So, this "news" is that some script kiddy exploited a vulnerability in a beta which MS were already aware of and had already coded the fix for (we can assume that as the full release the following day already had the fix - too soon for it to be a reaction to the hack)? I mean, I'm not a great fan of Microsoft but it does seem somewhat like a fuss about nothing.

0
0
Gates Halo

Beta with a flaw, fixed for final release SHOCK!

Come on people, the flaw was in the beta version, the final release had measured that would have prevented the hack.

Oh and of course we all know that IE is the only browser that has ever had any security problems, oh no wait, Safari, Firefox, Chrome, Opera and every other browser out there is not water tight. Writing water tight code in something as complex and interactive as a browser is all but impossible, thankfully all the companies who release browsers regularly patch them to ensure security vulnerabilities are fixed.

It does get a little tiresome when people jump on the Microsoft is shit bandwagon time after time, without any balance. Microsoft = Shit. Apple, Mozilla, et all = wonderful software. It’s just not living in the real world.

0
0
This topic is closed for new posts.

Forums