Feeds

back to article Security bods rip off Microsoft's 'sticking plaster' IE bug fix

A security researcher has developed a method to circumvent Microsoft's temporary fix for a zero-day Internet Explorer browser vulnerability. Redmond release a temporary Fix It to defend against the flaw last week, pending the development of a more complete patch which it later emerged would not arrive with updates due to be …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

JDX
Gold badge

Re: IE truly sucks

Considering other browsers routinely get boshed pretty much instantly at those hack contests, your vision seems a bit blinkered here. MS spend more on security alone for IE than FF and Apple collectively spend on their browsers in total, I'd wager. And MS hire decent people.

4
12
Anonymous Coward

Re: IE truly sucks

All software has bugs and security holes. Software is written by humans in languages created by humans, using libraries and operating systems made by humans on processors made by humans.

What I don't get is why these "security researchers" aren't working at Microsoft or wherever.

0
1
Silver badge

Re: IE truly sucks

@JDX - it's not the man hours or money spent but Microsoft's thoroughly flawed approach to welding particular versions of a browser to particular versions of its operating system.

Windows XP is supported until 2014 and ssers have a right to expect MS to provide the promised support which they have already paid for. Plenty of people are still using it, partly because their hardware cannot run a more recent version - there are plenty of machines out there with only 512 MB. Fortunately, most such users know someone who has installed a more recent browser than IE 8, which is as good as it gets on Windows XP. They are screwed, however, when they come across the many sites that insist on Internet Explorer, which still happens on many sites in many countries.

But, it's not just "sitck in the mud" home users, some of the worst offenders are big corporates with fat MS licences. One of my customers is currently not intending to move from IE 8 on Windows 7 until IE 10 becomes available, presumed to be at some point in 2014. The most recent problems with IE - the main company website didn't work properly due to restrictions imposed by the last major flaw - have forced a more aggressive rollout of Firefox now that LTS versions are available.

And I know from a friend of mine who's machine was hacked last month in a drive-by from a website using the stipulated browser (IE 8) of his international company. He was forced to use FF on his wife's machine while the IT department tried to fix his.

MS still offers companies something with the degree of control of centralised settings management but the lead over other browsers, Firefox in Europe, Chrome in the US and Safari everywhere is evaporating: down from approx. 40 % in Q2 2012 to less than 30 % by the end of Q4.

4
0
Anonymous Coward

Re: Re: IE truly sucks

They can spend as much as they want on "security", but as long as they take the, "another layer of sticking plasters and it should hold" approach instead of developing a secure OS from the ground up, they're just pissing in the ocean.

(also, MS often don't hire decent people because windows is a sane devs nightmare)

6
2
Anonymous Coward

Re: IE truly sucks

3/10 Troll harder next time.

0
0
Silver badge

Re: IE truly sucks

But how do you do that without breaking half the software in the world (a good chunk of which is very expensive custom business software from firms no longer in existence)? Look at how Windows 8 is progressing. They're trying a new approach that has more security potential, but it's been a rocky road.

1
1
Bronze badge
Windows

you can routinely get $60,000

as a side-effect of a routine "boshing" of Google's Chrome, as we have seen it. $00,000 and a kiss from Microsoft as a contrast.

MS spend more on security alone for IE..

We don't know how it is done. The verb spend on might be synonymous to the verb waste on here.

They can, of course, hire good programmers, they might not be able to afford as many *good* eyeballs inspecting their code, as firefox, chrome(ium) combined, though.

Microsoft has more money than most other IT companies and arguably have spent more on the development of Windows 8 RT than, say, Google can afford developing Android. The resultant 12GB of the system disk occupation found with their WIn8 RT (with office) might be a mystery for you and me.

3
0
Anonymous Coward

Re: IE truly sucks

MS don't pay you to wager. They pay you to astroturf. Do it again until you get it right.

2
2
JDX
Gold badge

Re: IE truly sucks

Grow up.

1
2
Silver badge

Re: but it's been a rocky road.

It's been a rocky road because instead of focusing on security they've been focused on forcing users into a new unified paradigm THAT DOESN'T WORK ON THEIR CORE MARKET SEGMENT.

We've been down this road four or five times now by my count. First Windows NT was going to be a new secure system. And for while it looked like it might be. But then they merged it with 95 base and blew that to hell. Then they put out SP2 for XP, which again "re-wrote" the MS security paradigm. And that was pointless. Then they released Vista with far too little engineering work on the essentials like drivers. Sure it was secure. Getting it to work was a miracle, changing anything was likely to break it. When they released Windows 7 we were all told that it had the security of the Vista kernel but it had fixed the driver problems. Mostly this was true, but once again IE broke the security.

1
0

This post has been deleted by a moderator

Silver badge

Re: Why don't we have worst software awards?

Because once upon a time we had something better. Until MS subverted it. I don't even remember the name any more, but it was an association of users who evaluated software on their needs. They were even successfully pushing companies into usable multi-user network licenses at reasonable prices (e.g. you could install a 100 user WordPerfect license on a 200 person network and any random 100 users could access it). But this threatened the MS cash flow so the infiltrated, subverted, and destroyed it.

0
0
Anonymous Coward

So the fix was a little less temporary than er, temporary.

Much is being made of the IE side of things. I'm more intrigued by what was wrong server-side, especially with respect to CFR (having seen their list of members). What's the news there?

Also, the CFR, claim that Flash was also a prerequisite.

0
0
Bronze badge
Holmes

"If security analysts at Exodus Intelligence can circumvent the fix then the implication is that cybercriminals might be able to do something similar"

0
0
Bronze badge

This is what happens when Microsoft would rather you upgrade your entire OS to get a newer version of the browser than release IE 9/10 for XP which is still in support until 2014. No wonder they lost market share to Firefox and Chrome, at least their latest versions still work on XP.

9
0
Bronze badge

and Microsoft aren't improving the situation, they should include updated versions of IE with service packs. At the moment IE6 will be supported up until 2015 when server 2003 is retired, IE7 and IE8 till 2020 when 2008 support ends. So that's still another 7 years of this kind of story.

1
0
JDX
Gold badge

A question to hackers or security people

I've always wondered when MS say "this vulnerability could allow an attacker to take full control of your computer" , what does that actually mean? In my head I see them using a vulnerability to mysteriously launch an RDP session to your PC or something but that sounds unlikely... anyone know first hand what it actually 'looks like' from the hacker's side?

0
1
Linux

Re: A question to hackers or security people

It means that the attacker can execute code on your system, usually that code will just be a dropper. Meaning it communicates with a HTTP server and grabs a binary. Then it executes it.

Whatever you program that binary to do, the computer will do...

So if you create a piece of malware that allows for VNC access, the attacker will get that

3
0
Bronze badge
Alert

Re: A question to hackers or security people

"Full control" means administrator-level access, so, yes, they could launch an RDP session if they wanted to. I recall the old Back Orifice party trick... you could remotely eject the CD tray, great for awareness raising, not much use for a criminal.

Typically, an attacker would try to be unobtrusive, and would install something to further their ultimate purpose. If the attack can be automated, then it will be used in drive-by attacks to install botnet software for later sale as DoS or spamming zombies; if the attack is more involved, then maybe used in targeted attacks on high-value victims for installing keyloggers; or capturing webcam images for extortion; the possibilities are endless.

0
0
Anonymous Coward

Re: A question to hackers or security people

[quote]"Full control" means administrator-level access...[/quote]

Most often it is the rights of the user under whose context the browser is running which determine the level of access, the sad fact is that too many people run as administrator because "they need to" or "they know what they are doing" (or simply because it is the OOBE for the first user created on Windows).

0
1
Stop

Re: A question to hackers or security people

According to the MS advisory (http://technet.microsoft.com/en-us/security/advisory/2794220) this exploit runs in the context of the user and doesn't directly allow privilege escalation.

0
0
Silver badge
Windows

Re: A question to hackers or security people

MEIN GOTT!!

A sensible, well constructed and salient answer from a Linux fanbois...

No slagging of Windows or its failings....

You, Sir, have just ever so slightly changed some of my feelings towards your brethren.......

+1

0
0
Bronze badge

obsolete versions of IE

"obsolete but still widely used versions of Microsoft's web browser software browsers"

"ob·so·lete

/ˌäbsəˈlēt/

Adjective

No longer produced or used; out of date."

unfortunately all these versions of IE are still current and supported by Microsoft. IE8 certainly can't be called obsolete because it's the highest version available for XP and server 2003 both of which are widely used.

9
0
Thumb Up

Re: obsolete versions of IE

I suppose a better word would be 'deprecated'.

1
0
Bronze badge

Re: obsolete versions of IE

how about "obsolescent" - in the process of becoming obsolete

0
0

Re: obsolete versions of IE

Hell, I'd call IE8 the 'latest stable' release.

0
0
Anonymous Coward

im gunna use IE right now

oh wait it doesnt work on my OS. whats Microsoft gunna do about it? lie and say theres is still the best.? yes!

uuuuuuu shut up

0
4
Silver badge
WTF?

Re: im gunna use IE right now

Are you alright mate???

Seems you have a bit of a mental / verbal issue there....

Can i offer you a 9mm asprin???

1
0
This topic is closed for new posts.