Microsoft warned on Wednesday of a new zero-day vulnerability in Internet Explorer. The flaw creates a means for hackers to inject malware onto vulnerable systems, providing surfers are first tricked into visiting booby-trapped websites. As such the flaw poses a severe drive-by download risk. All established version of IE (from …
Follow Microsoft's advice, install extra software, watch a video on how it works and start hacking around so that: "this type of exploit will most likely fail".
Or you could just use a different browser.
or just not purchase IE at all
Oh, sorry, you have to purchase it. You were given no choice.
Just remember if you have a copy of IE, your opinion simply does not matter.
RE: or just not purchase IE at all
"You were given no choice."
But you DO have a choice - just apparently not one you are willing to make (yet).
So the attackers can avoid ASLR because mscorie.dll wasn't compiled with the /DYNAMICBASE option?? Way to go... introduce new security feature, then have one of your own dlls not implement said security feature.
Face, meet palm.
Yes, it's embarrassing, but what will be really embarrassing is if they now spend a month without a patch. After all, they've identified that an essential part of the exploit is MSCORIE.dll not being flagged as dynamically re-locatable, and it must be quite stunningly easy to verify that it would be safe to flip that bit because you actually need to try quite hard to create a DLL that isn't safely relocatable. (To judge from their mitigation advice, they've already done this part.)
So, Microsoft, how long will it take to create a patch that flips one bit in one DLL header?
Ways to mitigate against the attack...
Well I doubt this is the Microsoft approach but the easiest way to defend against this attack is to use another browser!
It's just like the old days -- Windows bugs by the hatful.
Next they'll have the machine rebooting after every individual fix is installed.
Makes me (sniff, sniff) remember the good times of 'Windows patches? Put the kettle on and order some pizza, we're here for the long haul'.
Makes me yearn
for Windows 3.11 where everything could be fixed using edit.com
Actually I lied
I yearn not for 3.11
I use Ubuntu.
In other news, fire is hot.
And this is somehow Newsworthy?
Come on El Reg. I challenge you to go through all your archives and count the number of articles that have said exactly the same thing. 'Zero Day bug for IE'.
While you are at it and in the spirit of goodwill, how about letting us comment to articles written my AO?
Why does he not allow the readership to comment on his work? Are you trying to hide something? Will it be leaked to WikiLeaks?
Come on El Reg, let us know. That will surely be far more interesting than Zerod Day IE Exploits especially at this time of year.
That's me done until 2011. Off down the Brewery to pick up my order for Advent Ale.
Is it true that Microsoft have never relased any piece of software except "Calculator" and "Solitaire" that doesn't contain a massive security hole?
Not *technically* a security bug in Calculator, but there is a security escalation vulnerability in the Help file for Calculator that in some versions of Windows can be used to open a command prompt or execute other applications that a limited user account is otherwise barred from executing.
A vulnerability in IE?
A vulnerability in Firefox
"a new zero-day vulnerability in Internet Explorer" > "All established version of IE (from 6 to 8) are affected" ... so it's been there a long while, hardly new is it?
So we have to use what to update MS
So we have to use IE to update a known flaw in IE !
until we can update MS programs without having to be tied into IE, and forced to have it installed on our machine, then what do we expect.
Apparently, you've never seen/used the Windows Update feature baked into WinXP-Win7? Last I checked, IE was only necessary (on WinXP only) to manually download patches from MS. Since Vista, the OS simply uses the Windows Update interface to present patches to install. Even in XP, you can cause Windows Update to manually fetch patches. No need for IE.
Windows update in Windows Vista and 7 is a standalone program. Windows update only runs in IE in XP (and earlier versions I guess)..
Opera 11 having just been launched.
Go on, give it a whirl.
It's non-Google, non-Apple, non-MS, European and free.
The least you can do is try it.
Interesting phrasing in the linked MS technet article "the only public ways to evade ASLR and DEP is through..."
So, presumably then MS has non-public techniques to get around those protections. Not a real surprise, I guess, but is this another case of security through obscurity? That always works out so well...
The art of Responsible Disclouser means MS is notified before the general public, and thus, they likely have reports of other means of bypassing ASLR and DEP, but are currently working on patches/workarounds before it can become Public Knowledge.
We will be applying new Microsoft patches to all our desktop computers to enhance the security of Internet Explorer 6. Please be aware of corporate policy not to attempt to install unauthorised third party browsers. Non-MIcrosoft browsers are not supported by our IT team or by Microsoft.
Please refrain from using sites, developed by trendy web designers, known to have issues with IE6, such as Facebook or Google Maps. PLease use Microsoft services instead.
I guess you were being sarcastic.
But, Microsoft is not. If you have a copy of IE your opinion does not matter. And that is true even if you are a CIO. Or, CIA or any other alphabet.
Which is funny, as IE 6 doesn't have ASLR or DEP support and I doubt that the EMET workaround will work for it either.
I hope that all those corporate security types that love XP/IE6, like HMG, are paying attention to this.
MS recommends using an alternative browser until IE is not quite as hack-able?
- Updated Hidden network packet sniffer in MILLIONS of iPhones, iPads – expert
- Students hack Tesla Model S, make all its doors pop open IN MOTION
- BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion
- US judge: YES, cops or feds so can slurp an ENTIRE Gmail account