Hackers have latched onto a vulnerability in Internet Explorer patched by Microsoft last week as a useful way to spread malware. The vulnerability is CVE-2012-1875 – which was patched in MS12-037 as part of the June edition of Microsoft's Patch Tuesday – and it is being exploited in the wild. Attacks are typically delivered by …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 19th June 2012 14:21 GMT Lee Dowling

It does worry me, not that people are still finding bugs in IE, but that those bugs are so prevalant and easy to find, and nobody has bothered to actual fix the cause (not just patch the resulting symptom).

Use-after-free = we don't track variable state / memory handling properly and could crash your browser in a second even in normal use.

ASLR = defeated by making IE load an "old" pre-ASLR DLL (why do those still exist, and why don't their addresses get randomised by some wrapper for them?)

DEP = defeated by putting "jmp" statements into the data area (instead of literal code) that call into executable memory which does the actual work instead. (Why is this allowed and why does the "jmp" not get classed as an execution in a data area too?)

3 1
Tuesday 19th June 2012 14:32 GMT Anonymous Coward

chrome anyone?

or firefox, opera, safari.

Honestly I'd even consider Midori better than IE.

4 4
1. Tuesday 19th June 2012 17:26 GMT Martipar
  
  Re: chrome anyone?
  
  I believe that copious amounts of midori are required before the use of IE
  
  1 0
2. Tuesday 19th June 2012 17:56 GMT Sandtitz
  
  Re: chrome anyone?
  
  You are deluded if you are replacing IE blindly with Chrome because IE is so vulnerable.
  
  Let's check what Secunia says about these browsers for this year, shall we?
  
  IE9 - 22 vulnerabilities this year - 53 vulns since IE9 was introduced 14 months ago.
  
  Chrome (versions 17-19 released this year, I'm not gonna dig further) - I counted 117 vulnerabilities though some may be duplicates.
  
  Safari 5.x - 90 vulns this year, 303 vulnerabilities since its introduction 2 years ago. Nice!
  
  Firefox (versions 10 - 13 releases this year, I'm not gonna dig further) - 40 vulnerabilities.
  
  Opera - I counted 12 vulnerabilities.
  
  I didn't know of Midori's existence before your message. Tried it and it's more bloated than Opera (disk space wise). Needs more polishing and an installer as well.
  
  I understand replacing IE because it's slow or clunky to use or doesn't feature your favorite plugins but it doesn't seem more exploitable than Chrome, Safari or Firefox. Please prove me wrong if you can.
  
  7 2
  1. Wednesday 20th June 2012 05:40 GMT Franklin
    
    Re: chrome anyone?
    
    "I understand replacing IE because it's slow or clunky to use or doesn't feature your favorite plugins but it doesn't seem more exploitable than Chrome, Safari or Firefox. Please prove me wrong if you can."
    
    Not all vulnerabilities are the same; there are many different classes of vulnerability, with different implications. For example, a vulnerability that crashes the browser may present a denial-of-service problem, but it's rather different than a vulnerability that allows arbitrary code execution with administrator privileges.
    
    Part of what makes IE so nasty is that arbitrary-code problems often end up running as root, rather than running in userland. That's not the case with other browsers.
    
    1 0
    1. This post has been deleted by its author
    2. Wednesday 20th June 2012 16:16 GMT Sandtitz
      
      Re: chrome anyone?
      
      "Not all vulnerabilities are the same"
      
      True. Relying again on Secunia reports for year 2012 on the browsers that were recommended by the AC:
      
      Chrome - multiple 'highly critical' vulnerabilities that provide at least 'system access'.
      
      IE9, Safari, Opera, FF - ditto. Firefox 12 also had a vulnerability allowing privilege escalation.
      
      All browsers seem to be at parity here.
      
      "Part of what makes IE so nasty is that arbitrary-code problems often end up running as root, rather than running in userland. That's not the case with other browsers."
      
      Care to elaborate this claim? According to Secunia IE6 thru IE9 has had zero privilege escalation bugs. Windows has had multiple privilege escalation bugs which are exploitable with any browser that has had a vulnerability that allows system access (on user space)
      
      0 0
Tuesday 19th June 2012 14:37 GMT Ken Hagan

Those legitimate websites

"Attacks are typically delivered by JavaScript code embedded in websites, some of which are actually legitimate."

I assume you mean to imply that the website is owned by someone with no hostile intent but it has been taken over by someone less friendly. The notion of a "legitimate yet unsafe" website is oxymoronic.

1 0
1. Tuesday 19th June 2012 19:43 GMT Anonymous Coward
  
  Re: Those legitimate websites
  
  How about Google serving malware laced ads, it happened to a friend of mine, who only allowed Google sourced sites to execute scripts and he got rooted.
  
  1 2
2. Tuesday 19th June 2012 22:39 GMT Jon B
  
  Re: Those legitimate websites
  
  Pretty much any website that serves up advert banners can be susceptible, if the advert is malicious.
  
  1 0
Tuesday 19th June 2012 22:31 GMT Stevie

Bah!

It was extremely stupid of Microsoft to patch IE as a way of spreading malware.

1 0
1. Tuesday 19th June 2012 23:24 GMT Anonymous Coward
  
  Re: Bah!
  
  Microsoft once released a patch that caused PCs infected with a particular rootkit (TDSS) to crash. To solve the problem they stopped the patch being installed on infected PCs. The rootkit author then updated the software so that Microsoft could then apply the patch to those machines as well.
  
  Although Microsoft could detect infected machines to prevent the patch being installed they made no attempt to inform the user about the rootkit. They were, in effect, working with the malware authors.
  
  2 0