Feeds

back to article Exploit code for potent IE zero-day bug goes wild

Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully …

COMMENTS

This topic is closed for new posts.

Page:

Grenade

STBY...

What's the problem?

0
0
Silver badge
Linux

IE, again

This just reminds me why I took the trouble to move friends & family off Windows/IE to avoid yet another infestation. Regularly.

Tux - not perfect, but a whole lot better.

8
2
Unhappy

Aaand

because of wide availability and M$ rushing to fix it as it's now public, there's a higher chance that they'll fix it incompletely or introduce some other bugs.

1
1
Silver badge
Grenade

Internet Explorer?

Do people actually use this piece of junk software?

11
3
Anonymous Coward

Apparently, yes

Lots of people who have no idea what they're doing to the point of not noticing when firefox gets swapped out for internet exploder by some installer or nagware, and I'm told large corporate environments with internet exploder-only intranets. Neither of whom will be exhorted by pieces like this to finally update; the former won't update because they haven't a clue and may not even be able to thanks to "windows genuine advantage", and the latter because that's a policy decision, and the pointy hairs that must approve it (can't really say "are responsible", can I?) only see a cost centre there and they were told to save on costs by on high.

3
0

Do people still use Internet Exploder?

Not if they are tech savvy. Firefox or Opera are better and safer browsers.

5
0
Stop

IE8 is not junk

and has some nice features such as inprivate. Moreover it is far quicker than FF3.0 or 3.5 in my experience.

I mainly use FF3.0 principally because it behaves well on my system compared to 3.5 plus there are several critical add-ons that I can manage without. I also use Opera 10 for some online banking sites that play well with it.

Chrome i will not touch. Well, I did actually try it one and it was slooow. But basically i do not trust Google at all. Probably a NSA/CIA job more so than M$.

Then from time to time I boot up Ubuntu and occasionally play with other flavours of linux, using browsers like Konqueror and of course FF, but the font rendering does my eyes in on linux, just nowhere as smooth as Windows.

As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials. IE8 with a sandbox (sandboxie or the new one within Kasperky 2010) is definitley quicker, smoother and no less secure than the others. Junk definitly not.

3
12

I do

I use IE6 on Win2K at work, but not through choice, I don't think our office PCs can run anything better (2001 Dells with 128mb of RAM) they struggle enough with simple tasks such as loading a new window (which the system spawns on a regular basis)

0
0
Pint

Yes, yes they do....

Think corporate.

You can't install anything on your own. Every bit of software has to be green-lit by empty suits in IT management. Too many internal sites built too long ago for IE 6, and companies aren't willing to update for fear it might cost money.

Beer, because I need one.

1
0
Linux

Not at home, but my...

employer still uses IE6 as its default web browser.

Frightening, isn't it?

1
0
Unhappy

Re: IE?

Unfortunately, yes... and it can't be ignored, much to my dismay.

0
0
Anonymous Coward

Yes

Certainly more than use Firefox.

0
0
Anonymous Coward

Firefox add-ons

"As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials."

You could define another profile in Firefox, with extensions disabled, if you like.

Just a thought.

0
0
Silver badge
FAIL

Mine too

Idiots

0
0
N2

Think corporate?

Think the 'empty suits' in IT are long past their sell by date

1
1
N2

IE 8 not junk

Correct, junk is far too polite a term, IE is utter garbage,

Why should you have to prop up a web browser thats so terminally in secure with products like Sandboxie? which is to be honest one of the few ways I would trust using IE & go to sites that I was sure were safe

But to be fair, most web browsers need a re-think / re-write in the way they work to prevent exploits, its just that IE is the one thats by far the biggest security risk.

3
1
FAIL

oh really...

http://www.theregister.co.uk/2009/11/10/web_security_survey/

Firefox safer huh? more geeky maybe, but safer no.

1
4
FAIL

think why?

IE is has less bugs whether you like to admit it or not. Why would corporates waste money rolling out a different browser when it gives no corporate benefit at all?

0
1
Anonymous Coward

Not as black and white as that.

"IE is has less bugs whether you like to admit it or not." - I can't recall anyone suggesting otherwise. This hasn't got anything to do with the amount bugs at all. It is a pointless and meaningless metric. The problems with IE are many though. The bugs that it does contain have the potential to cause lots of damage to it's host OS, and as (unfortunately) the majority still use a variation of it, malicious individuals will target its weaknesses and shortcomings. Like it or not, Microsoft have a duty of care to make sure that their products, paid for or free, should be as secure as possible. This isn't a slight on Microsoft as Mozilla, Google, Apple and all the rest have the same burden of responsibility, with the latter often being *as* bad.

"Why would corporates waste money rolling out a different browser..." They wouldn't necessarily. This is an overused and ill conceived argument. The cost of redesigning and redeploying an intranet could be high and that'll teach the companies affected the cost of using non-standard proprietary solutions. The cost savings made by opting for a more secure browser could be huge! Don't forget either that enterprise is only half of Microsoft's market. Any kind of shift in the consumer market has the potential to do more damage, and is far more likely. The German government for instance is suggesting that it's better to use an alternative to IE for security reasons. The damage to the Internet Explore brand, like the Windows Mobile one, could be huge.

1
0

same here

My place of work also makes us use IE6 and doesn't allow us to install any software. I forget the reasoning, but there is a specific complaint about IE7 and 8 that means they refuse to upgrade the systems to it (since even 7 or 8 would be better than 6).

Thankfully I can use Firefox Portable, but unfortunately since the company officially uses IE6, any web development I do has to be compatible with it - that increases development time exponentially.

It was the same at my previous place of work too. Most slightly tech-savvy people I know use Firefox. I've even got my mum using it. I do occasionally see friends using IE because they don't know there are alternatives, but the real reason why IE6 remains such a lingering curse is the corporate usage.

0
0
FAIL

Yes

When Firefox, Opera et al can be installed, configured and locked down via Group Policy, they may have half a chance at reducing Internet Explorer's dominance in corporate networks.

Until then, most companies will take their chances with IE, ours included. Say what you will about alternatives being safer, faster or more user friendly; sysadmins working on a Windows domain would have to be crazy to use anything other than IE.

0
0
Silver badge

It was once a stimulating,respectable job

doing MS computer support. Now it feel like clearing up after and incontinent elephant but nothing, absolutely nothing grows in the mess.

4
0
Flame

Unfair

@JaitcH: "Do people actually use this piece of junk software?"

Of course, Mozilla never need to issue security patches for Firefox.

1
8
Anonymous Coward

Not really

Like the Germans said, the setting that makes IE 'sort of' secure also makes it all but unusable. FF meanwhile is at least 'sort of' secure while remaining eminently usable. In a less-than-perfect world, this seems a reasonable comparison between a 'junk' product and a quality one, all else being equal (which, of course, it is not).

0
0

Chrome?

Do google not run chrome then?

0
1

Re: Chrome?

I believe the accounts of human rights activists were hacked, and no human rights activist is tech savvy.

0
0
Anonymous Coward

Gmail

Just had a bogus emergency plea for cash from a family member via their Gmail account. Apparently everyone in their address book got one, including the plumber. Just a coincidence that Gmail has been widely hacked in China (possibly by this exploit)?

0
1
Silver badge
FAIL

Gmail?

What do they expect?

0
0

makes me think

that these leading tech firms aren't too savvy when it comes to their own security, as if we didn't already know.

Glad to see the solutions are already mentioned, surprised (or maybe not) that these leading tech firms weren't already in possession of that knowledge, it's not as id DEP hasn't been mentioned before in previous attacks of different kinds. Or is it IT policy, that once a patch has been released you can turn DEP off. No I don't think so, once turned on , DEP can only be allowed to filter for various applications that you have to manually define.

So the problem is only being further enhanced by poor security in these firms to begin with, something which we're all aware of now too..

On another level, why are these companies using a browser getting on for 10 years old still, have they not heard of progress, yet they still try to foist their "new" version of their product onto me every 6 months. Whilst you are right to highlight the part played by IE6, maybe the focus should now switch to the security in place in these firms.?

0
0
Thumb Down

Seriously. Think?

Sorry, but saying you "think" implies actual "thought". Or maybe "thinking" for you is synonymous with "regurgitating".

Try "reading" THEN "thinking".

The recent hacks were perpetrated by launching phishing expeditions against normal users in their own homes who were duped by the ruse into opening malicious links that used this MSIE ZERO-DAY EXPLOIT (and possibly others) to compromise those USERS' WINDOWS systems and gain access to their Gmail (and other account) credentials to be used as points of entry into the Google (and other companies) network.

This was not a Google hack, or for that matter a hack on any of the other companies involved. This was a MSIE exploit, and as such was not something that Google or any of the other companies could defend against.

Twit.

0
0
Gold badge

"Highly sophisticated"

Is it really? The source for Windows (and IE) is hardly *that* difficult to get hold of. (The Chinese were *given* it by Microsoft a few years ago.) Given the source, you could run LINT or similar tools over it and zero in on uninitialised pointer problems without no more effort than it takes to wade through the tool output. (Given the quality of the MS code I've seen, there could be quite a lot of that, but the task is fairly parallelisable, and China has lots of smart people.) Some individuals who enjoy the backing of the Chinese military probably know the codebase better than Microsoft's own developers, particularly the codebase of IE6 which remains a major target for attack but which has probably fallen off Microsoft's radar.

The plain truth is that IE is just as "open source" as Firefox, at least to those who matter.

1
0
Coat

ALL YOU BASE BELONG 2 PRC and PRNK

time for a upgrade to LINUX me thinks....

bugger, who's nicked all my ID and contents of all my offshore bank accounts...

1
0

Worth remembering...

That this only impacts users of Microsoft's 2001 OS platform.

Out of the box Windows Vista and Windows 7 prevents this hole from being exploited through Microsoft's Trustworth Computing initive.

Anyone using IE6 on Windows XP in 2010 deserve's for their 8 year old system to be pwned.

1
6
FAIL

Do they use it? Some are forced to

You can go back, and not very far back, through articles here to find the one about workers being disciplined for doing unauthorized upgrades of IE on their PCs from IE 6 to IE 7. IE 6 was the "blessed" one and no-one was to change that or, more particularly, challenge management.

As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees".

0
0
Gold badge
FAIL

Re: Some are forced to

"As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees"."

Well you've got 34 bodies swinging now, but I don't suppose it will help if the very smart managers refuse to open their eyes.

As the article points out, IE8 is considerably more resistant to this attack than its predecessors and that corporate intranet probably does work with it, but if you never bother to try it out then you'll never know. As I noted earlier, IE6 is basically an open source Trojan as far as the black hats are concerned, so just how smart a manager do you have to be to insist on keeping it?

0
0
IT Angle

@JaitcH

Unfortunately plenty of companies use this junk software, and now we're seeing just how useful M$ is for international espionage.

3
0
Paris Hilton

Stupid, Lazy IT depts

2003 - "Lets save some money. Lets build our enterprise, business critical application to run in IE 6. Isn't that neato? It is so much faster and cheaper than building a "real" application

2006 - No, we can't upgrade to IE7, it will break all our stuff.

2009 - No, we can't upgrade to IE8, it will break all our stuff.

2010 - No, we can't use our stuff anymore, IE 6 compromised our entire system and broke everything!

2
0
IT Angle

RE: Stupid, Lazy IT depts

Installing IE 8 was a snap, Auto Updates and a WSUS server took care of that. So, given the update mechanisms in an Active Directory network, tell us how to keep FireFox updated so we don't have to run around logging in administrative accounts to do this.

2
0

Absolutely

I'm glad you've said this. Maybe if someone answers they can also tell me how to prevent users from changing preferences in Firefox. Because I've a feeling there isn't a nice Group Policy setting for that...

2
0
Thumb Up

deployment method

@gollux - easy. deploy it as a virtual Application. eg sequence it in App-V

0
0
Badgers

RE: deployment method

Sounds like a way of adding more overhead, not just simply installing the update. And yet another server and yearly fee to Microsoft. I'll pass.

0
0
Thumb Up

So ...

Use a Linux box for your browser's VM. There. Fixed it for ya.

0
0

Video of the Aurora Exploit in Action

Here is a video demonstrating the use of the Aurora exploit with IE 6.0:

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

0
0

Pul-eeeeze

if you use Windows, use one of these...

Opera, Firefox, SeaMonkey, K-Meleon, Chrome, Safari...

1
0
Flame

Oohm, aah!

Time to abandon this internet connected thingy. At least until the security model has been sorted anyway.

Bye!

0
0
Silver badge
FAIL

Close

But no cigar. It's time abandon this shite called Windows.

1
1
Jobs Horns

Pointing out the obvious.

Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there. Do you seriously think FF, Chrome or Opera don't have similar and possibly worse security holes in them? Look at the percentages:

http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Firefox use is increasing, but it's still better to try and exploit IE than anything else, especially as it's more common in corporate environments.

2
3
Grenade

exploits in closed source

interesting that all these MS bugs can be found in such closed proprietary code.

the code for Firefox is Open and available for ANYONE to read... heck..you'd think that in that case

any random bug would be found pretty quickly and used by the bad guys.

0
0
Grenade

We're getting a little tired of that old canard...

so lets move on. Does nothing to help clean up the mess caused by failed implementation.

Quote: Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there.

1
2
FAIL

NHS requires IE6 still

The NHS Choose & Book system for queuing patients up to new referrals to hospital clinics requires IE6.

It is written to use some Active X thing, so the existing central stuff won't work with anything but IE, but I am pretty certain that somewhere in the closed source of it there is a line saying

If BrowserID != "IE6"

blow raspberry

exit

It would be odd if it was only general practice that had this stuff imposed on it, I assume that appointment departments have the same interface.

It wasn't my idea, and losing Crash & Burn would be no great loss for patients or professionals, but the NHS does seem to be hoist on a petard there.

1
0

Page:

This topic is closed for new posts.