Exploit code for potent IE zero-day bug goes wild
Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully …
This topic is closed for new posts.
IE, again
This just reminds me why I took the trouble to move friends & family off Windows/IE to avoid yet another infestation. Regularly.
Tux - not perfect, but a whole lot better.
Aaand
because of wide availability and M$ rushing to fix it as it's now public, there's a higher chance that they'll fix it incompletely or introduce some other bugs.
Internet Explorer?
Do people actually use this piece of junk software?
Apparently, yes
Lots of people who have no idea what they're doing to the point of not noticing when firefox gets swapped out for internet exploder by some installer or nagware, and I'm told large corporate environments with internet exploder-only intranets. Neither of whom will be exhorted by pieces like this to finally update; the former won't update because they haven't a clue and may not even be able to thanks to "windows genuine advantage", and the latter because that's a policy decision, and the pointy hairs that must approve it (can't really say "are responsible", can I?) only see a cost centre there and they were told to save on costs by on high.
Do people still use Internet Exploder?
Not if they are tech savvy. Firefox or Opera are better and safer browsers.
IE8 is not junk
and has some nice features such as inprivate. Moreover it is far quicker than FF3.0 or 3.5 in my experience.
I mainly use FF3.0 principally because it behaves well on my system compared to 3.5 plus there are several critical add-ons that I can manage without. I also use Opera 10 for some online banking sites that play well with it.
Chrome i will not touch. Well, I did actually try it one and it was slooow. But basically i do not trust Google at all. Probably a NSA/CIA job more so than M$.
Then from time to time I boot up Ubuntu and occasionally play with other flavours of linux, using browsers like Konqueror and of course FF, but the font rendering does my eyes in on linux, just nowhere as smooth as Windows.
As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials. IE8 with a sandbox (sandboxie or the new one within Kasperky 2010) is definitley quicker, smoother and no less secure than the others. Junk definitly not.
I do
I use IE6 on Win2K at work, but not through choice, I don't think our office PCs can run anything better (2001 Dells with 128mb of RAM) they struggle enough with simple tasks such as loading a new window (which the system spawns on a regular basis)
Yes, yes they do....
Think corporate.
You can't install anything on your own. Every bit of software has to be green-lit by empty suits in IT management. Too many internal sites built too long ago for IE 6, and companies aren't willing to update for fear it might cost money.
Beer, because I need one.
Not at home, but my...
employer still uses IE6 as its default web browser.
Frightening, isn't it?
Re: IE?
Unfortunately, yes... and it can't be ignored, much to my dismay.
Firefox add-ons
"As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials."
You could define another profile in Firefox, with extensions disabled, if you like.
Just a thought.
Think corporate?
Think the 'empty suits' in IT are long past their sell by date
IE 8 not junk
Correct, junk is far too polite a term, IE is utter garbage,
Why should you have to prop up a web browser thats so terminally in secure with products like Sandboxie? which is to be honest one of the few ways I would trust using IE & go to sites that I was sure were safe
But to be fair, most web browsers need a re-think / re-write in the way they work to prevent exploits, its just that IE is the one thats by far the biggest security risk.
oh really...
http://www.theregister.co.uk/2009/11/10/web_security_survey/
Firefox safer huh? more geeky maybe, but safer no.
think why?
IE is has less bugs whether you like to admit it or not. Why would corporates waste money rolling out a different browser when it gives no corporate benefit at all?
Not as black and white as that.
"IE is has less bugs whether you like to admit it or not." - I can't recall anyone suggesting otherwise. This hasn't got anything to do with the amount bugs at all. It is a pointless and meaningless metric. The problems with IE are many though. The bugs that it does contain have the potential to cause lots of damage to it's host OS, and as (unfortunately) the majority still use a variation of it, malicious individuals will target its weaknesses and shortcomings. Like it or not, Microsoft have a duty of care to make sure that their products, paid for or free, should be as secure as possible. This isn't a slight on Microsoft as Mozilla, Google, Apple and all the rest have the same burden of responsibility, with the latter often being *as* bad.
"Why would corporates waste money rolling out a different browser..." They wouldn't necessarily. This is an overused and ill conceived argument. The cost of redesigning and redeploying an intranet could be high and that'll teach the companies affected the cost of using non-standard proprietary solutions. The cost savings made by opting for a more secure browser could be huge! Don't forget either that enterprise is only half of Microsoft's market. Any kind of shift in the consumer market has the potential to do more damage, and is far more likely. The German government for instance is suggesting that it's better to use an alternative to IE for security reasons. The damage to the Internet Explore brand, like the Windows Mobile one, could be huge.
same here
My place of work also makes us use IE6 and doesn't allow us to install any software. I forget the reasoning, but there is a specific complaint about IE7 and 8 that means they refuse to upgrade the systems to it (since even 7 or 8 would be better than 6).
Thankfully I can use Firefox Portable, but unfortunately since the company officially uses IE6, any web development I do has to be compatible with it - that increases development time exponentially.
It was the same at my previous place of work too. Most slightly tech-savvy people I know use Firefox. I've even got my mum using it. I do occasionally see friends using IE because they don't know there are alternatives, but the real reason why IE6 remains such a lingering curse is the corporate usage.
Yes
When Firefox, Opera et al can be installed, configured and locked down via Group Policy, they may have half a chance at reducing Internet Explorer's dominance in corporate networks.
Until then, most companies will take their chances with IE, ours included. Say what you will about alternatives being safer, faster or more user friendly; sysadmins working on a Windows domain would have to be crazy to use anything other than IE.
It was once a stimulating,respectable job
doing MS computer support. Now it feel like clearing up after and incontinent elephant but nothing, absolutely nothing grows in the mess.
Unfair
@JaitcH: "Do people actually use this piece of junk software?"
Of course, Mozilla never need to issue security patches for Firefox.
Not really
Like the Germans said, the setting that makes IE 'sort of' secure also makes it all but unusable. FF meanwhile is at least 'sort of' secure while remaining eminently usable. In a less-than-perfect world, this seems a reasonable comparison between a 'junk' product and a quality one, all else being equal (which, of course, it is not).
Re: Chrome?
I believe the accounts of human rights activists were hacked, and no human rights activist is tech savvy.
Gmail
Just had a bogus emergency plea for cash from a family member via their Gmail account. Apparently everyone in their address book got one, including the plumber. Just a coincidence that Gmail has been widely hacked in China (possibly by this exploit)?
makes me think
that these leading tech firms aren't too savvy when it comes to their own security, as if we didn't already know.
Glad to see the solutions are already mentioned, surprised (or maybe not) that these leading tech firms weren't already in possession of that knowledge, it's not as id DEP hasn't been mentioned before in previous attacks of different kinds. Or is it IT policy, that once a patch has been released you can turn DEP off. No I don't think so, once turned on , DEP can only be allowed to filter for various applications that you have to manually define.
So the problem is only being further enhanced by poor security in these firms to begin with, something which we're all aware of now too..
On another level, why are these companies using a browser getting on for 10 years old still, have they not heard of progress, yet they still try to foist their "new" version of their product onto me every 6 months. Whilst you are right to highlight the part played by IE6, maybe the focus should now switch to the security in place in these firms.?
Seriously. Think?
Sorry, but saying you "think" implies actual "thought". Or maybe "thinking" for you is synonymous with "regurgitating".
Try "reading" THEN "thinking".
The recent hacks were perpetrated by launching phishing expeditions against normal users in their own homes who were duped by the ruse into opening malicious links that used this MSIE ZERO-DAY EXPLOIT (and possibly others) to compromise those USERS' WINDOWS systems and gain access to their Gmail (and other account) credentials to be used as points of entry into the Google (and other companies) network.
This was not a Google hack, or for that matter a hack on any of the other companies involved. This was a MSIE exploit, and as such was not something that Google or any of the other companies could defend against.
Twit.
"Highly sophisticated"
Is it really? The source for Windows (and IE) is hardly *that* difficult to get hold of. (The Chinese were *given* it by Microsoft a few years ago.) Given the source, you could run LINT or similar tools over it and zero in on uninitialised pointer problems without no more effort than it takes to wade through the tool output. (Given the quality of the MS code I've seen, there could be quite a lot of that, but the task is fairly parallelisable, and China has lots of smart people.) Some individuals who enjoy the backing of the Chinese military probably know the codebase better than Microsoft's own developers, particularly the codebase of IE6 which remains a major target for attack but which has probably fallen off Microsoft's radar.
The plain truth is that IE is just as "open source" as Firefox, at least to those who matter.
ALL YOU BASE BELONG 2 PRC and PRNK
time for a upgrade to LINUX me thinks....
bugger, who's nicked all my ID and contents of all my offshore bank accounts...
Worth remembering...
That this only impacts users of Microsoft's 2001 OS platform.
Out of the box Windows Vista and Windows 7 prevents this hole from being exploited through Microsoft's Trustworth Computing initive.
Anyone using IE6 on Windows XP in 2010 deserve's for their 8 year old system to be pwned.
Do they use it? Some are forced to
You can go back, and not very far back, through articles here to find the one about workers being disciplined for doing unauthorized upgrades of IE on their PCs from IE 6 to IE 7. IE 6 was the "blessed" one and no-one was to change that or, more particularly, challenge management.
As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees".
Re: Some are forced to
"As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees"."
Well you've got 34 bodies swinging now, but I don't suppose it will help if the very smart managers refuse to open their eyes.
As the article points out, IE8 is considerably more resistant to this attack than its predecessors and that corporate intranet probably does work with it, but if you never bother to try it out then you'll never know. As I noted earlier, IE6 is basically an open source Trojan as far as the black hats are concerned, so just how smart a manager do you have to be to insist on keeping it?
@JaitcH
Unfortunately plenty of companies use this junk software, and now we're seeing just how useful M$ is for international espionage.
Stupid, Lazy IT depts
2003 - "Lets save some money. Lets build our enterprise, business critical application to run in IE 6. Isn't that neato? It is so much faster and cheaper than building a "real" application
2006 - No, we can't upgrade to IE7, it will break all our stuff.
2009 - No, we can't upgrade to IE8, it will break all our stuff.
2010 - No, we can't use our stuff anymore, IE 6 compromised our entire system and broke everything!
RE: Stupid, Lazy IT depts
Installing IE 8 was a snap, Auto Updates and a WSUS server took care of that. So, given the update mechanisms in an Active Directory network, tell us how to keep FireFox updated so we don't have to run around logging in administrative accounts to do this.
Absolutely
I'm glad you've said this. Maybe if someone answers they can also tell me how to prevent users from changing preferences in Firefox. Because I've a feeling there isn't a nice Group Policy setting for that...
deployment method
@gollux - easy. deploy it as a virtual Application. eg sequence it in App-V
RE: deployment method
Sounds like a way of adding more overhead, not just simply installing the update. And yet another server and yearly fee to Microsoft. I'll pass.
So ...
Use a Linux box for your browser's VM. There. Fixed it for ya.
Video of the Aurora Exploit in Action
Here is a video demonstrating the use of the Aurora exploit with IE 6.0:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Pul-eeeeze
if you use Windows, use one of these...
Opera, Firefox, SeaMonkey, K-Meleon, Chrome, Safari...
Oohm, aah!
Time to abandon this internet connected thingy. At least until the security model has been sorted anyway.
Bye!
Close
But no cigar. It's time abandon this shite called Windows.
Pointing out the obvious.
Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there. Do you seriously think FF, Chrome or Opera don't have similar and possibly worse security holes in them? Look at the percentages:
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
Firefox use is increasing, but it's still better to try and exploit IE than anything else, especially as it's more common in corporate environments.
exploits in closed source
interesting that all these MS bugs can be found in such closed proprietary code.
the code for Firefox is Open and available for ANYONE to read... heck..you'd think that in that case
any random bug would be found pretty quickly and used by the bad guys.
We're getting a little tired of that old canard...
so lets move on. Does nothing to help clean up the mess caused by failed implementation.
Quote: Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there.
NHS requires IE6 still
The NHS Choose & Book system for queuing patients up to new referrals to hospital clinics requires IE6.
It is written to use some Active X thing, so the existing central stuff won't work with anything but IE, but I am pretty certain that somewhere in the closed source of it there is a line saying
If BrowserID != "IE6"
blow raspberry
exit
It would be odd if it was only general practice that had this stuff imposed on it, I assume that appointment departments have the same interface.
It wasn't my idea, and losing Crash & Burn would be no great loss for patients or professionals, but the NHS does seem to be hoist on a petard there.
This topic is closed for new posts.
