back to article Redmond probes new IE 8 vulnerability

Microsoft has confirmed a bug in Internet Explorer 8, CVE-2013-1347, which exposes user machines to remote code execution. In an advisory, Microsoft says the vulnerability “exists in the way that Internet Explorer [accesses] an object in memory that has been deleted or has not been properly allocated.” That, in turn, opens the …

COMMENTS

This topic is closed for new posts.

Eh?

'Microsoft says the vulnerability “exists in the way that Internet Explorer access an object in memory that has been deleted or has not been properly allocated.”'

When I see English like that, I normally assume a scam from someone whose first language isn't English. Though I suppose, as Microsoft is a 'merkin company...

4
3
Thumb Down

Re: Eh?

Just because *you* don't understand it doesn't mean it's not a succinct explanation of the issue, which is further expanded in the article.

1
1
Bronze badge

Re: Eh?

Actually, he's correct. It should be "accesses" rather than "access".

However, I don't understand how this happened in the first place - surely you'd NULL the pointer after freeing the memory?

0
0
(Written by Reg staff)

Re: Re: Eh?

Thanks, all. I have corrected Microsoft's grammar now.

1
0
Unhappy

Re: Eh?

Problem is that pointers can be copied and otherwise reproduced.

To be reasonable safe, you would want to clear memory both at allocation and at free.

In the name of "efficiency" this is never done (at least on anything now living).

1
0
Bronze badge
Coat

Re: surely you'd NULL the pointer after freeing the memory?

Ooooh!, I see an up your bum 'FreeAndNil' v's 'Free' discussion coming on. IGMC - life to live type stuff.

0
0
Silver badge
FAIL

'enry the eighth I am I am...

So fix it. The next twelve are already floating around out there.

2
0
Anonymous Coward

Re: 'enry the eighth I am I am...

Or upgrade to any of the newer and therefore more secure versions of internet explorer which the bug didn't apply to. If I was managing an IT department running software that was 2 versions behind, I'd expect the occasional exploit.

0
2
Silver badge

Re: 'enry the eighth I am I am...

Lots of people still using XP, 8 is the new version of IE.

If you need to access a site that uses active x then you can't use a different browser.

1
0

Invincea!

Voo-va-voo!

[reaches for sickbag]

1
0
Silver badge
Linux

Why don't they just throw in the towel?

Give up software microsoft - you're shit at it. Stick to extorting $5-$15 per device from those who get it right.

Whilst you can.

7
8
Bronze badge
Linux

Re: Why don't they just throw in the towel?

Sir, you must have read my thoughts :-) At least Ms could liberate themselves from the browser business and concentrate on providing better browser choices (you guys in EU are lucky!).

Interestingly, IE is not as dominating as preinstalled Windows. FF and Chrome(ium) are very close to it. How often do the latter browsers misbehave (on Windows)? Those that try to use the market share as an argument in malware proliferation, should next time come up with a more reasonable explanation here.

5
0
Anonymous Coward

Re: Why don't they just throw in the towel?

Oh look, two of the regular MS nay-sayers who seem to be claiming that the largest, most successful software company in the world can't do software.

How very boring.

0
5
Silver badge

Re: Why don't they just throw in the towel?

Truth is boring.

5
1
Anonymous Coward

Re: Why don't they just throw in the towel?

Recent versions of Firefox and Chrome have far more vulnerabilities than even IE8 according to Secunia....

0
2
Bronze badge

Re: Why don't they just throw in the towel?

Recent versions of Firefox and Chrome have far more vulnerabilities...

Remind us please, when did last time any of those allow dropping a trojan without a user's consent and exploited in the wild? Moreover, even the last pwn2own contest one Chrome flaw was partly "Windows kernel flaws to bypass Chrome sandbox ".

And yet, no known exploitable stuff on Linux. Yes, of course any Linux distro has much more vulnerabilities than Windows does. Sure, there is several magnitudes more software on any Linux that is being counted, more hardware architectures to be included. Plus these vulnerabilities are too technical and not that interesting as the favorite MS' remote code execution delicacies after all.

3
1
Silver badge
Facepalm

Re: Why don't they just throw in the towel?

Oh look, an Anonymous Coward seems to be ignoring the fact the largest, most successful Patent Troll in the world is once again doing what they are best at and ignored the elephant in the room.

Once again.

4
1
Anonymous Coward

Re: Why don't they just throw in the towel?

The difference is that pretty much no one uses Linux as a desktop so no one bothers targeting it for these type of exploits.....there have been several self replicating viruses / worms that didn't even need user interaction on Linux.

If you look at where Linux is actually used like webservers, you are far more likely to be hacked if you run Linux than if you run Windows - Windows is much more secure against remote exploits due to the much lower vulnerability count. Linux has well over 900 vulnerabilities in the kernel alone!

0
1
Bronze badge
FAIL

@AC

.. no one uses Linux as a desktop..

More people use Firefox and Chrome than IE across a whole lot of OSes and versions of Windows, though the latter browser is much more targeted despite the comparatively lower number of divulged vulns.

there have been several self replicating viruses / worms that didn't even need user interaction on Linux.

Too much smoking is no good, even for an AC. Or, you're talking about those proof-of-concept ones that are created and live in labs only?

you are far more likely to be hacked if you run Linux than if you run Windows

Any stats to support that? Whatever you install, it always up to you to insure an easy hack:

1) weak credentials, password, easy to guess username, allowing root for ssh, password logins, writing your login credentials on your (friend's) forehead, using a Windows machine to keep it/login to it etc

2) failing to update your system for security fixes

3) misusing apps on web/mail servers, like bad php-coding, WordPress plugins, turning extraneous Apache plugins etc

4) using crappy (in-house) sql back-ends or/and writing bad sql code to allow an easy sq-injection

5) with 4 stupidly ignoring the rule # zero to never store your users credentials in clear text or without proper hashing and salts.

Those and more apply to both Windows, Linux, FreeBSD and even OpenBSD, however, you still don't see any other web/mail servers to utilize AV, other than when they need to filter it for Windows client machines.

0
0
Anonymous Coward

Re: @AC

IE has several times more market share than either Chrome or Firefox:

http://thenextweb.com/insider/2013/03/01/internet-explorer-continues-growth-past-55-market-share-thanks-to-ie9-and-ie10-as-chrome-hits-17-month-low/

Slapper, Lion and Ramen spring to mind as Linux malware I have seen in the wild.

Stats to support Windows being more secure as an internet facing server: http://www.zone-h.org/news/id/4737

As you can see the majority of Linux exploits are via kernel holes.

0
0
Gold badge

It may seem ancient but...

...it actually only came into this world in 2009 and will (as a "component") enjoy the support lifecycle of the parent OS at the time of release.

On the other hand, MS may well argue that IE9 is the version of this "component" in the most recent service pack for Vista or 7. Their long-standing policy is not to support older SPs after a couple of years of the new one being available, so presumably IE8 is already out of support on those platforms. That would leave just XP (which is famously dead next Spring) or XP Pro Embedded (which lives on until Dec:2016).

2
0

Re: It may seem ancient but...

I think we've all accepted by now that the internet is the new wild west, and you've got to keep your defences up. Anyone not upgrading their browser regularly - regardless of flavour - is asking for trouble.

0
0
Bronze badge

Re: It may seem ancient but...

Service packs don't include new versions of IE. This means the original version (IE7 for Vista or IE8 for 7) is supported until end of life. That means the end of support for IE8 (and IE7 due to server 2008 support) isn't until 2020-01-14.

The scary part of all this is that the date you have for XP embedded means that microsoft will continue to support IE6 until the end of 2016 although I'm not sure what the update mechanism is for embedded windows.

0
0
Bronze badge

Umm,

So Internet Explorer 8 has a zero day. That would be the same IE8 which was the last version which could run on XP and XP is coming up to end of support? Ummm. IGMC.

3
0
Silver badge
Facepalm

World - 1 million, Luddites - 0

How's that XP workin' for ya?

0
1
Happy

Re: World - 1 million, Luddites - 0

XP is working fine for me. Thank you.

I believe it will work fine for the next 10 years (unless MS stops making every Windows worse than the last one).

The secret is not to touch the Internet with anything made in Redmont. Use a hardware firewall (like a router). When OS updates stop coming, configure IE to look for a nonexistent Web proxy. Get online with Firefox or Chrome. You'll be all right.

2
0
Silver badge

Shocked, I say, shocked!!

Microsoft software has an exploited vulnerability? Shocked, I say.

So, are we taking wagers on when the next one appears and has already taken advantage of?

Let's see, when is "Patch Tuesday"?

3
0
This topic is closed for new posts.

Forums