back to article Exploit code for potent IE zero-day bug goes wild

Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully …

COMMENTS

This topic is closed for new posts.

Page:

  1. gollux
    Grenade

    STBY...

    What's the problem?

  2. Paul Crawford Silver badge
    Linux

    IE, again

    This just reminds me why I took the trouble to move friends & family off Windows/IE to avoid yet another infestation. Regularly.

    Tux - not perfect, but a whole lot better.

  3. Anonymous Coward
    Unhappy

    Aaand

    because of wide availability and M$ rushing to fix it as it's now public, there's a higher chance that they'll fix it incompletely or introduce some other bugs.

  4. JaitcH
    Grenade

    Internet Explorer?

    Do people actually use this piece of junk software?

    1. Anonymous Coward
      Anonymous Coward

      Apparently, yes

      Lots of people who have no idea what they're doing to the point of not noticing when firefox gets swapped out for internet exploder by some installer or nagware, and I'm told large corporate environments with internet exploder-only intranets. Neither of whom will be exhorted by pieces like this to finally update; the former won't update because they haven't a clue and may not even be able to thanks to "windows genuine advantage", and the latter because that's a policy decision, and the pointy hairs that must approve it (can't really say "are responsible", can I?) only see a cost centre there and they were told to save on costs by on high.

    2. Ross Nixon

      Do people still use Internet Exploder?

      Not if they are tech savvy. Firefox or Opera are better and safer browsers.

      1. Anthony Shortland
        FAIL

        oh really...

        http://www.theregister.co.uk/2009/11/10/web_security_survey/

        Firefox safer huh? more geeky maybe, but safer no.

    3. Anonymous Coward
      Stop

      IE8 is not junk

      and has some nice features such as inprivate. Moreover it is far quicker than FF3.0 or 3.5 in my experience.

      I mainly use FF3.0 principally because it behaves well on my system compared to 3.5 plus there are several critical add-ons that I can manage without. I also use Opera 10 for some online banking sites that play well with it.

      Chrome i will not touch. Well, I did actually try it one and it was slooow. But basically i do not trust Google at all. Probably a NSA/CIA job more so than M$.

      Then from time to time I boot up Ubuntu and occasionally play with other flavours of linux, using browsers like Konqueror and of course FF, but the font rendering does my eyes in on linux, just nowhere as smooth as Windows.

      As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials. IE8 with a sandbox (sandboxie or the new one within Kasperky 2010) is definitley quicker, smoother and no less secure than the others. Junk definitly not.

      1. Anonymous Coward
        Anonymous Coward

        Firefox add-ons

        "As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials."

        You could define another profile in Firefox, with extensions disabled, if you like.

        Just a thought.

      2. N2

        IE 8 not junk

        Correct, junk is far too polite a term, IE is utter garbage,

        Why should you have to prop up a web browser thats so terminally in secure with products like Sandboxie? which is to be honest one of the few ways I would trust using IE & go to sites that I was sure were safe

        But to be fair, most web browsers need a re-think / re-write in the way they work to prevent exploits, its just that IE is the one thats by far the biggest security risk.

    4. Sadie

      I do

      I use IE6 on Win2K at work, but not through choice, I don't think our office PCs can run anything better (2001 Dells with 128mb of RAM) they struggle enough with simple tasks such as loading a new window (which the system spawns on a regular basis)

      1. Roby

        same here

        My place of work also makes us use IE6 and doesn't allow us to install any software. I forget the reasoning, but there is a specific complaint about IE7 and 8 that means they refuse to upgrade the systems to it (since even 7 or 8 would be better than 6).

        Thankfully I can use Firefox Portable, but unfortunately since the company officially uses IE6, any web development I do has to be compatible with it - that increases development time exponentially.

        It was the same at my previous place of work too. Most slightly tech-savvy people I know use Firefox. I've even got my mum using it. I do occasionally see friends using IE because they don't know there are alternatives, but the real reason why IE6 remains such a lingering curse is the corporate usage.

    5. Anonymous Coward
      Pint

      Yes, yes they do....

      Think corporate.

      You can't install anything on your own. Every bit of software has to be green-lit by empty suits in IT management. Too many internal sites built too long ago for IE 6, and companies aren't willing to update for fear it might cost money.

      Beer, because I need one.

      1. N2

        Think corporate?

        Think the 'empty suits' in IT are long past their sell by date

        1. Anthony Shortland
          FAIL

          think why?

          IE is has less bugs whether you like to admit it or not. Why would corporates waste money rolling out a different browser when it gives no corporate benefit at all?

          1. Anonymous Coward
            Anonymous Coward

            Not as black and white as that.

            "IE is has less bugs whether you like to admit it or not." - I can't recall anyone suggesting otherwise. This hasn't got anything to do with the amount bugs at all. It is a pointless and meaningless metric. The problems with IE are many though. The bugs that it does contain have the potential to cause lots of damage to it's host OS, and as (unfortunately) the majority still use a variation of it, malicious individuals will target its weaknesses and shortcomings. Like it or not, Microsoft have a duty of care to make sure that their products, paid for or free, should be as secure as possible. This isn't a slight on Microsoft as Mozilla, Google, Apple and all the rest have the same burden of responsibility, with the latter often being *as* bad.

            "Why would corporates waste money rolling out a different browser..." They wouldn't necessarily. This is an overused and ill conceived argument. The cost of redesigning and redeploying an intranet could be high and that'll teach the companies affected the cost of using non-standard proprietary solutions. The cost savings made by opting for a more secure browser could be huge! Don't forget either that enterprise is only half of Microsoft's market. Any kind of shift in the consumer market has the potential to do more damage, and is far more likely. The German government for instance is suggesting that it's better to use an alternative to IE for security reasons. The damage to the Internet Explore brand, like the Windows Mobile one, could be huge.

    6. Anonymous Coward
      Linux

      Not at home, but my...

      employer still uses IE6 as its default web browser.

      Frightening, isn't it?

      1. Big-nosed Pengie
        FAIL

        Mine too

        Idiots

    7. Old Marcus
      Unhappy

      Re: IE?

      Unfortunately, yes... and it can't be ignored, much to my dismay.

    8. Anonymous Coward
      Anonymous Coward

      Yes

      Certainly more than use Firefox.

    9. Dale Richards
      FAIL

      Yes

      When Firefox, Opera et al can be installed, configured and locked down via Group Policy, they may have half a chance at reducing Internet Explorer's dominance in corporate networks.

      Until then, most companies will take their chances with IE, ours included. Say what you will about alternatives being safer, faster or more user friendly; sysadmins working on a Windows domain would have to be crazy to use anything other than IE.

  5. Tom 7

    It was once a stimulating,respectable job

    doing MS computer support. Now it feel like clearing up after and incontinent elephant but nothing, absolutely nothing grows in the mess.

  6. Thought About IT
    Flame

    Unfair

    @JaitcH: "Do people actually use this piece of junk software?"

    Of course, Mozilla never need to issue security patches for Firefox.

    1. Anonymous Coward
      Anonymous Coward

      Not really

      Like the Germans said, the setting that makes IE 'sort of' secure also makes it all but unusable. FF meanwhile is at least 'sort of' secure while remaining eminently usable. In a less-than-perfect world, this seems a reasonable comparison between a 'junk' product and a quality one, all else being equal (which, of course, it is not).

  7. SuperTim

    Chrome?

    Do google not run chrome then?

    1. Old Marcus

      Re: Chrome?

      I believe the accounts of human rights activists were hacked, and no human rights activist is tech savvy.

  8. Anonymous Coward
    Anonymous Coward

    Gmail

    Just had a bogus emergency plea for cash from a family member via their Gmail account. Apparently everyone in their address book got one, including the plumber. Just a coincidence that Gmail has been widely hacked in China (possibly by this exploit)?

    1. Big-nosed Pengie
      FAIL

      Gmail?

      What do they expect?

  9. Neal 5

    makes me think

    that these leading tech firms aren't too savvy when it comes to their own security, as if we didn't already know.

    Glad to see the solutions are already mentioned, surprised (or maybe not) that these leading tech firms weren't already in possession of that knowledge, it's not as id DEP hasn't been mentioned before in previous attacks of different kinds. Or is it IT policy, that once a patch has been released you can turn DEP off. No I don't think so, once turned on , DEP can only be allowed to filter for various applications that you have to manually define.

    So the problem is only being further enhanced by poor security in these firms to begin with, something which we're all aware of now too..

    On another level, why are these companies using a browser getting on for 10 years old still, have they not heard of progress, yet they still try to foist their "new" version of their product onto me every 6 months. Whilst you are right to highlight the part played by IE6, maybe the focus should now switch to the security in place in these firms.?

    1. James Butler
      Thumb Down

      Seriously. Think?

      Sorry, but saying you "think" implies actual "thought". Or maybe "thinking" for you is synonymous with "regurgitating".

      Try "reading" THEN "thinking".

      The recent hacks were perpetrated by launching phishing expeditions against normal users in their own homes who were duped by the ruse into opening malicious links that used this MSIE ZERO-DAY EXPLOIT (and possibly others) to compromise those USERS' WINDOWS systems and gain access to their Gmail (and other account) credentials to be used as points of entry into the Google (and other companies) network.

      This was not a Google hack, or for that matter a hack on any of the other companies involved. This was a MSIE exploit, and as such was not something that Google or any of the other companies could defend against.

      Twit.

  10. Ken Hagan Gold badge

    "Highly sophisticated"

    Is it really? The source for Windows (and IE) is hardly *that* difficult to get hold of. (The Chinese were *given* it by Microsoft a few years ago.) Given the source, you could run LINT or similar tools over it and zero in on uninitialised pointer problems without no more effort than it takes to wade through the tool output. (Given the quality of the MS code I've seen, there could be quite a lot of that, but the task is fairly parallelisable, and China has lots of smart people.) Some individuals who enjoy the backing of the Chinese military probably know the codebase better than Microsoft's own developers, particularly the codebase of IE6 which remains a major target for attack but which has probably fallen off Microsoft's radar.

    The plain truth is that IE is just as "open source" as Firefox, at least to those who matter.

  11. Anonymous Coward
    Coat

    ALL YOU BASE BELONG 2 PRC and PRNK

    time for a upgrade to LINUX me thinks....

    bugger, who's nicked all my ID and contents of all my offshore bank accounts...

  12. The Original Steve

    Worth remembering...

    That this only impacts users of Microsoft's 2001 OS platform.

    Out of the box Windows Vista and Windows 7 prevents this hole from being exploited through Microsoft's Trustworth Computing initive.

    Anyone using IE6 on Windows XP in 2010 deserve's for their 8 year old system to be pwned.

  13. Peter 39
    FAIL

    Do they use it? Some are forced to

    You can go back, and not very far back, through articles here to find the one about workers being disciplined for doing unauthorized upgrades of IE on their PCs from IE 6 to IE 7. IE 6 was the "blessed" one and no-one was to change that or, more particularly, challenge management.

    As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees".

    1. Ken Hagan Gold badge
      FAIL

      Re: Some are forced to

      "As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees"."

      Well you've got 34 bodies swinging now, but I don't suppose it will help if the very smart managers refuse to open their eyes.

      As the article points out, IE8 is considerably more resistant to this attack than its predecessors and that corporate intranet probably does work with it, but if you never bother to try it out then you'll never know. As I noted earlier, IE6 is basically an open source Trojan as far as the black hats are concerned, so just how smart a manager do you have to be to insist on keeping it?

  14. Anonymous Coward
    IT Angle

    @JaitcH

    Unfortunately plenty of companies use this junk software, and now we're seeing just how useful M$ is for international espionage.

  15. Anonymous Coward
    Paris Hilton

    Stupid, Lazy IT depts

    2003 - "Lets save some money. Lets build our enterprise, business critical application to run in IE 6. Isn't that neato? It is so much faster and cheaper than building a "real" application

    2006 - No, we can't upgrade to IE7, it will break all our stuff.

    2009 - No, we can't upgrade to IE8, it will break all our stuff.

    2010 - No, we can't use our stuff anymore, IE 6 compromised our entire system and broke everything!

    1. gollux
      IT Angle

      RE: Stupid, Lazy IT depts

      Installing IE 8 was a snap, Auto Updates and a WSUS server took care of that. So, given the update mechanisms in an Active Directory network, tell us how to keep FireFox updated so we don't have to run around logging in administrative accounts to do this.

      1. Martin Edwards

        Absolutely

        I'm glad you've said this. Maybe if someone answers they can also tell me how to prevent users from changing preferences in Firefox. Because I've a feeling there isn't a nice Group Policy setting for that...

      2. Anonymous Coward
        Thumb Up

        deployment method

        @gollux - easy. deploy it as a virtual Application. eg sequence it in App-V

        1. gollux
          Badgers

          RE: deployment method

          Sounds like a way of adding more overhead, not just simply installing the update. And yet another server and yearly fee to Microsoft. I'll pass.

          1. James Butler
            Thumb Up

            So ...

            Use a Linux box for your browser's VM. There. Fixed it for ya.

  16. Prefect

    Video of the Aurora Exploit in Action

    Here is a video demonstrating the use of the Aurora exploit with IE 6.0:

    http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

  17. Steve 72

    Pul-eeeeze

    if you use Windows, use one of these...

    Opera, Firefox, SeaMonkey, K-Meleon, Chrome, Safari...

  18. Beelzeebub
    Flame

    Oohm, aah!

    Time to abandon this internet connected thingy. At least until the security model has been sorted anyway.

    Bye!

    1. Big-nosed Pengie
      FAIL

      Close

      But no cigar. It's time abandon this shite called Windows.

  19. Robinson
    Jobs Horns

    Pointing out the obvious.

    Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there. Do you seriously think FF, Chrome or Opera don't have similar and possibly worse security holes in them? Look at the percentages:

    http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

    Firefox use is increasing, but it's still better to try and exploit IE than anything else, especially as it's more common in corporate environments.

    1. Anonymous Coward
      Grenade

      exploits in closed source

      interesting that all these MS bugs can be found in such closed proprietary code.

      the code for Firefox is Open and available for ANYONE to read... heck..you'd think that in that case

      any random bug would be found pretty quickly and used by the bad guys.

    2. gollux
      Grenade

      We're getting a little tired of that old canard...

      so lets move on. Does nothing to help clean up the mess caused by failed implementation.

      Quote: Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there.

  20. Adrian Midgley 1
    FAIL

    NHS requires IE6 still

    The NHS Choose & Book system for queuing patients up to new referrals to hospital clinics requires IE6.

    It is written to use some Active X thing, so the existing central stuff won't work with anything but IE, but I am pretty certain that somewhere in the closed source of it there is a line saying

    If BrowserID != "IE6"

    blow raspberry

    exit

    It would be odd if it was only general practice that had this stuff imposed on it, I assume that appointment departments have the same interface.

    It wasn't my idea, and losing Crash & Burn would be no great loss for patients or professionals, but the NHS does seem to be hoist on a petard there.

Page:

This topic is closed for new posts.

Other stories you might like