back to article In-the-wild attacks find hole in (fully-patched) IE 7

Security researchers are reporting in-the-wild attacks targeting a previously unknown vulnerability in fully patched versions of Microsoft's Internet Explorer browser. They surfaced on the same day that Microsoft released its biggest batch of security patches in five years. Internet users located in China report infections …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    This may sound bad...

    ...but I dont suppose any of you have any examples of this in the wild?

    Rather than go debug this myself, I might as well steal the existing code.

  2. Lewis Mettler
    Stop

    just do not purchase IE

    Oh, I forgot.

    Microsoft removed your ability to not purchase it.

  3. Flocke Kroes Silver badge

    Switch to Lynx ...

    ... the browser that is immune to all possible javascript based malware.

  4. Pierre
    Happy

    Some things never change...

    Vista is so inherently secure that you do not need any anti-malware software, and you should not get any. That's what they said... seems that it was "security by non-operability" rather than anything else.

  5. yeah, right.

    hardened?

    I don't believe the term means what you think it means. To me, "hardened" means "close to impenetrable". What Microsoft does is more like "vaguely firm, sort of", but definitely not "hardened". It's like the difference between "carbon steel alloy 1090" and "firm tofu", with Microsoft's offerings more on the "firm tofu" end of things.

  6. Anonymous Coward
    Anonymous Coward

    Wow.

    How surprising.

  7. Tom
    Happy

    @ yeah, right.

    "Firm tofu"? I think "Casu Marzu" is what you are looking for. :p

  8. Rune Moberg

    Re: Some things never change...

    Pierre, I doubt many of the affected users _didn't_ have updated anti-malware. The real problem is that most users update their virus-definition files AFTER an outbreak has occured. In this story, McAfee started investigating after the outbreak.... Much, much, too late.

    So anti-malware is not the answer. At least not to any question I can think of.

    Browsing with javascript disabled OTOH, has saved me lots of grief. (and apparently protects me against this threat as well)

    But, IE7, under Vista, runs with reduced priviligies. The Register neglects to mention whether this helped or not. I would be surprised if it didn't. (but this story wasn't limited to Vista, so XP users are out of luck in either csae)

  9. Pirate Dave Silver badge
    Pirate

    Firm tofu?

    more like cheese. Swiss cheese.

  10. Pierre

    Swiss cheese?

    More like cottage cheese.

  11. Neil Stansbury
    Paris Hilton

    Switch to..

    ..anything other than Internet Explorer - why do you people still use this arcane crap?

    For all their noise, they obviously have done little to fix the underlying code base insecurities, and for christ's sake - what's wrong with these idiots, sequencing and catching calls to malloc() and free() really isn't rocket science. It's called memory management guys - give it a try some time.

    Paris - because I bet even she remembers who she's malloc()ed.

  12. Anonymous Coward
    Stop

    @so many..

    "stop using i.e"...

    yeah like Firefox or Opera have no security holes. All those hundreds of patches have been for oooo I don't know, fun?

    I'm off to use my ZX Spectrum, yet to see any security patches for that, so must be the most secure computer out there....

  13. Nic Brough

    @Stu Reeves

    >like Firefox or Opera have no security holes

    Er, that's not the point. The point is that patches are usually released quickly once a problem is discovered, and they tend to work. Microsoft tend to leave IE wide open to exploits for weeks or months, and quite often produces half-hearted, half-finished or untested patches.

    To be fair, we're approaching the point where the only viable "patch" for IE security (and in fact, functionality and standards) is for MS to replace the core .exe file with a something that just pops a message box with "you can download <insert list of 5 "best" browsers> by clicking here"

  14. Anonymous Coward
    Anonymous Coward

    @Stu Reeves

    Not as secure as my BBC Master.

  15. Rune Moberg
    Stop

    It is not all MS' fault

    The problem with IE7 is that they disabled DEP by default. Why? Many plugins (Flash, Java VM, QuickTime, etc) require/required DEP to be disabled, because they depend on executing code from memory pages not marked as read-only/execute.

    http://blogs.technet.com/bluehat/archive/2008/04/28/the-battle-for-the-browser-your-pc.aspx

    So blame Adobe for being late with DEP support. Blame Sun. Blame Apple. Etc... They are the ones making IE7 a viable target. :(

    At home I disable activex, java and javascript. Problem solved.

This topic is closed for new posts.

Other stories you might like