Feeds

back to article MS warns over zero-day IE bug

Microsoft warned on Wednesday of a new zero-day vulnerability in Internet Explorer. The flaw creates a means for hackers to inject malware onto vulnerable systems, providing surfers are first tricked into visiting booby-trapped websites. As such the flaw poses a severe drive-by download risk. All established version of IE (from …

COMMENTS

This topic is closed for new posts.
Gates Horns

You could...

Follow Microsoft's advice, install extra software, watch a video on how it works and start hacking around so that: "this type of exploit will most likely fail".

Or you could just use a different browser.

3
0
Stop

or just not purchase IE at all

Oh, sorry, you have to purchase it. You were given no choice.

Just remember if you have a copy of IE, your opinion simply does not matter.

2
2
Linux

RE: or just not purchase IE at all

"You were given no choice."

But you DO have a choice - just apparently not one you are willing to make (yet).

0
0
FAIL

Ugh....

So the attackers can avoid ASLR because mscorie.dll wasn't compiled with the /DYNAMICBASE option?? Way to go... introduce new security feature, then have one of your own dlls not implement said security feature.

Face, meet palm.

3
0
Gold badge

Re: Ugh

Yes, it's embarrassing, but what will be really embarrassing is if they now spend a month without a patch. After all, they've identified that an essential part of the exploit is MSCORIE.dll not being flagged as dynamically re-locatable, and it must be quite stunningly easy to verify that it would be safe to flip that bit because you actually need to try quite hard to create a DLL that isn't safely relocatable. (To judge from their mitigation advice, they've already done this part.)

So, Microsoft, how long will it take to create a patch that flips one bit in one DLL header?

1
0
Gates Horns

Ways to mitigate against the attack...

Well I doubt this is the Microsoft approach but the easiest way to defend against this attack is to use another browser!

2
0
Silver badge

Nostalgia

It's just like the old days -- Windows bugs by the hatful.

Next they'll have the machine rebooting after every individual fix is installed.

Makes me (sniff, sniff) remember the good times of 'Windows patches? Put the kettle on and order some pizza, we're here for the long haul'.

2
0
g e
Silver badge

Makes me yearn

for Windows 3.11 where everything could be fixed using edit.com

1
1
g e
Silver badge

Actually I lied

I yearn not for 3.11

I use Ubuntu.

2
3
Silver badge
Flame

Internet Exploiter

In other news, fire is hot.

3
1
Silver badge
Pint

And this is somehow Newsworthy?

Come on El Reg. I challenge you to go through all your archives and count the number of articles that have said exactly the same thing. 'Zero Day bug for IE'.

While you are at it and in the spirit of goodwill, how about letting us comment to articles written my AO?

Why does he not allow the readership to comment on his work? Are you trying to hide something? Will it be leaked to WikiLeaks?

Come on El Reg, let us know. That will surely be far more interesting than Zerod Day IE Exploits especially at this time of year.

That's me done until 2011. Off down the Brewery to pick up my order for Advent Ale.

3
2
Flame

Microsoft

Is it true that Microsoft have never relased any piece of software except "Calculator" and "Solitaire" that doesn't contain a massive security hole?

0
0

Well...

Not *technically* a security bug in Calculator, but there is a security escalation vulnerability in the Help file for Calculator that in some versions of Windows can be used to open a command prompt or execute other applications that a limited user account is otherwise barred from executing.

3
0
Joke

A vulnerability in IE?

Never!

0
2
FAIL

A vulnerability in Firefox

Never.....

0
0
FAIL

Not new

"a new zero-day vulnerability in Internet Explorer" > "All established version of IE (from 6 to 8) are affected" ... so it's been there a long while, hardly new is it?

1
1
Thumb Down

So we have to use what to update MS

So we have to use IE to update a known flaw in IE !

until we can update MS programs without having to be tied into IE, and forced to have it installed on our machine, then what do we expect.

3
0
FAIL

Windows Update

Apparently, you've never seen/used the Windows Update feature baked into WinXP-Win7? Last I checked, IE was only necessary (on WinXP only) to manually download patches from MS. Since Vista, the OS simply uses the Windows Update interface to present patches to install. Even in XP, you can cause Windows Update to manually fetch patches. No need for IE.

0
1
Anonymous Coward

Uhh...

Windows update in Windows Vista and 7 is a standalone program. Windows update only runs in IE in XP (and earlier versions I guess)..

0
0

Perfect timing...

Opera 11 having just been launched.

Go on, give it a whirl.

It's non-Google, non-Apple, non-MS, European and free.

The least you can do is try it.

2
1

Public?

Interesting phrasing in the linked MS technet article "the only public ways to evade ASLR and DEP is through..."

So, presumably then MS has non-public techniques to get around those protections. Not a real surprise, I guess, but is this another case of security through obscurity? That always works out so well...

1
0
FAIL

Responsible Disclosure

The art of Responsible Disclouser means MS is notified before the general public, and thus, they likely have reports of other means of bypassing ASLR and DEP, but are currently working on patches/workarounds before it can become Public Knowledge.

0
0

CIO Perspective

We will be applying new Microsoft patches to all our desktop computers to enhance the security of Internet Explorer 6. Please be aware of corporate policy not to attempt to install unauthorised third party browsers. Non-MIcrosoft browsers are not supported by our IT team or by Microsoft.

Please refrain from using sites, developed by trendy web designers, known to have issues with IE6, such as Facebook or Google Maps. PLease use Microsoft services instead.

4
0
Stop

some CIO

I guess you were being sarcastic.

But, Microsoft is not. If you have a copy of IE your opinion does not matter. And that is true even if you are a CIO. Or, CIA or any other alphabet.

0
1
FAIL

Nice mention...

Which is funny, as IE 6 doesn't have ASLR or DEP support and I doubt that the EMET workaround will work for it either.

I hope that all those corporate security types that love XP/IE6, like HMG, are paying attention to this.

1
0
Joke

Ooo arr?

MS recommends using an alternative browser until IE is not quite as hack-able?

1
0
This topic is closed for new posts.