Sign in / up

back to article After months of denial, Microsoft cops to IE vulnerability

Microsoft has finally accepted responsibility for its role in a security weakness that allows malicious websites to run harmful code on an end user's machine. The acknowledgment of the vulnerability in Internet Explorer comes after three months of saying the burden lay with third-party software makers whose programs actually …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. gollux
    Dead Vulture

    Wow

    Microsoft is actually going to close another infection vector? Amazing! As usual they blow off admitting that there is a two ton pink elephant sitting in the room and then suddenly decide that it is a problem after it has become a way of compromising systems. How many denial of service errors have started out being claimed to be only an inconvenience, and then two months later, we find we have in reality a full blown exploitable buffer overflow.

    Now if we can go after everyone that trusted output from the IE7 infection proxy and didn't sanitize it before accepting it as input (Mozilla, Skype, etc.) and make them admit that they were the other 50% of the problem.

    0 0
  2. John

    Why are people still using IE??

    If you are reading this post using IE5/6/7 then your computer is at serious risk. You are maybe 3 clicks away from your PC being enslaved in a botnet. Go to www.getfirefox.com and install.

    0 0
  3. Simon Smillie

    Why is John (Post 12/10/2007 @ 03:50 GMT) a complete cretin?

    John,

    Just because people use IE DOESN'T mean they are at risk from being "enslaved in a botnet". Using various other software such as virus protection, anti-spyware and firewalls combat most of these problems. Secondly, you're more likely to get caught out surfing "questionable" sites. Is there anything you'd like to tell the group about your surfing habits?

    Grow up, IE isn't as bad as you Firefox fanbois make out - you seem to forget that no software is totally secure. If IE is so bad why did Firefox trust anything to be passed to it from IE?

    0 1
  4. Adam Ward
    Dead Vulture

    Um, Simon

    Simon please calm down.

    "Just because people use IE DOESN'T mean they are at risk from being "enslaved in a botnet"."

    No, but like heavy drinking and too much fatty foods its certainly an indicator of a coming health problem.

    "Using various other software such as virus protection, anti-spyware and firewalls combat most of these problems."

    Key word you use is: Most. Please note that earlier you talk about risk, you'd accept that, even with extensive additional software systems beyond Internet Explorer, there will remain a risk with using Internet Explorer.

    "Secondly, you're more likely to get caught out surfing "questionable" sites. Is there anything you'd like to tell the group about your surfing habits?"

    This rather nasty little slur is not particularly true. It might have been a few years ago, say for example in 1999, but the people involved in malware have become a lot smarter in how they deliver payloads. I know of at least one hair-styling site intended to appeal to teenage girls that was a trojan delivery portal. In the last week e-mail round robin letters purportedly out of Burma looking for support against the Junta were being used as a Trojan delivery system.

    "Grow up, IE isn't as bad as you Firefox fanbois make out - you seem to forget that no software is totally secure."

    I rather like the tabs in Firefox. Firefox isn't completely secure, what is in this wicked vale of tears? But even by your own admission IE has large vulnerabilities and does not fix them in a timely manner. In a world with zero day exploits, 3 months is far too long.

    " If IE is so bad why did Firefox trust anything to be passed to it from IE?"

    Errrm. As the article makes clear, as soon as the Firefox people realised how vulnerable the system was (back in July) they no longer trusted IE. You might as well ask what IE was doing to the other packages and what benefit the user was meant to get from it.

    0 0
  5. Anonymous Coward
    Anonymous Coward

    If IE is so bad...

    I seem to remember that MS used the ploy that IE was so deeply embedded in Windows that it was an integral part of the OS in order to defend themselves against an Anti-Trust suit. In day to day usage of computers we have the analogy of armoured soldiers defending themselves atop a bouncy castle. The enemy come along and puncture the castle. End of castle. AV software et al ain't gonna help, AV vendors agree that their software is dependent on OS updates being applied in a timely manner. So, coming back to Firefox. Every piece of software written for the Win environment is effectively dependent on these compromises, the people behind FF have done the correct thing by putting the pressure on to get these bugs fixed.

    0 0
  6. David Shaw
    IT Angle

    Questionable sites....

    @simon 12/10/2007 @ 05:30 GMT,

    no the malware and cross-site-scripting extent is certainly beyond 'questionable' sites, it is a fact that many 'normal' sites continue to be hit/hacked to host malware.

    1st Congressional district of Wisconsin Republican Part website, (iFrame/Storm)

    A fake NFL results website (iFrame/Storm)

    YouTube aggregate websites (iFrame/Storm)

    malicious Javascript in some eBay sale offers, everything

    any* site with banner adverts that has had the advert feed compromised

    (yes, this includes El Reg' !) Trojan

    and whatever malware will be invented tomorrow....

    IE is a reasonable browser, with flaws that MS is working on - but personally I ONLY use IE for windows update purposes. I use Firefox with TOR with RefControl, with NoScript with Flash/Shockwave deleted from the system. (and most of my webpresence is on a Mac or *nix system too!)

    think, even for home use, NSA type Multiple Independent levels of Safety/Security (MILS), anything else is OK , "if you're feeling lucky" (=You're certain that you have NO trojan - including maybe the stealth trojan that is almost totally inactive on your system, no slowdown , no IRC in the background - until it detects a bank account login - when it will keylog for a while , then slowly phone home)

    of course this brings to mind the Aircraft Safety comment .....quote from some bog somewhere..."Can't remember who it was exactly, but some senior bod at Rolls-Royce was once asked what he thought defined a really safe aircraft. His reply was something to the effect: "If my co-pilot told me that an engine had failed...and I asked him which engine...and he said 'Number 29 sir'...and then I asked him 'Number 29 on which side?'..."

    but it's YOUR bank account that could be microdebited in favour of far-away terrorism and YOUR IP that the police will be asking about the indecorous image webring.

    0 0
  7. James
    Thumb Down

    @Simon

    There are many reasons not to use IE. The biggest being because users who do ruin the web for users who don't. Pages get coded for ie and then don't work properly in browsers that actually bother to support standards.

    0 0
  8. James
    Coat

    Now Children . . .

    Firstly, since I started using Firefox I have had no botnet infections.

    While using IE they were common - my sites are pretty static so the 'dodgy' site routing doesn't cut it.

    I do however believe that as Firefox takes off the same will happen unless they take ownership of issues unlike Microsoft who have a tendency to use stall tactics in these matters.

    Back to the issue - I still don't get why these types of attack are allowed to continue, I do realise that authorities utilise them for investigations etc.... but you can't have it both ways. The sooner the onus gets formally past to the ISP the better.

    0 0
  9. Dam

    @Simon Smillie

    Well actually, yes it means so.

    Using IE is just asking for trouble.

    Using a decent browser that lets you disable/enable javascript on the fly (NoScript) or block adverts (AdBlock) which have been known to be an infection vector is a good start.

    Besides, the point is not that firefox is more secure, the point is that firefox vulnerabilities get addressed much faster than IE's.

    I don't know if you've seen this article on el reg ? Now hackers time their exploit releases with MS' patch days...

    It would have been acceptable if you weren't so aggressive against the previous poster that _did_ have a point and wasn't insulting to people using IE, merely informative.

    Hence I think you're the idiot, feel free to not respond I don't want a debate with your likes, sorry.

    0 0
  10. Julian Bond

    Two issues. Don't confuse them.

    Gollux. Careful there. There are two issues that look similar but have different responsibilities and outcomes. This one is about a 3rd party program calling shellexecute() for a protocol it doesn't understand. A carefully crafted URL passed to shellexecute on an XP machine with IE7 installed would then not get passed to a handler but would be executed locally. The 3rd party program bears no responsibility for this, It's just doing what it should. Passing on something it doesn't understand. The fault is entirely with Microsoft.

    This is not the same as a 3rd party program registering a handler and then falling to properly validate it's input which was the other similar problem.

    0 0
  11. Greg

    @gollux

    "Now if we can go after everyone that trusted output from the IE7 infection proxy and didn't sanitize it before accepting it as input (Mozilla, Skype, etc.) and make them admit that they were the other 50% of the problem."

    IIRC (correct me if I'm wrong), Firefox admitted they'd cocked up when this first happened, but urged MS to sort out their half of the bargain. As usual, MS have taken this long just to accept responsibility, so expect a patch sometime in 2009.

    0 0
  12. Paul Darcy

    Mines better than yours

    HAHA here we go again ie vs firefox. Well i'm doing this in firefox because up until not too long ago our company didnt allow ie7 to be installed. But I still need ie for some sites as firefox either doesnt open or wil not send data from the sites. personally I wonder why anything that wants to do anything other than show text and pics is not questioned by browsers. For the numb nuts it would make them safe and for those with knowledge, well we can go into further settings and change the backend to suit. It might slow the end user down a little bit but it would stop the users from getting malware and the likes on there system without there knowing. Or am I been too blond or simplistic.... It could be my hang over clouding my thought.

    0 0
  13. Richard

    Re: Why are people still using IE??

    If you believe firefox will protect you from hackers any more than IE, you're almost certainly much mistaken. All browsers have flaws which could be exploited by malicious hackers.

    There's many reasons why firefox is a great browser, but i don't think it's significantly more (or less) secure than recent (patched) versions of IE, or Opera. For me plugins are the reason I use firefox - firebug, HTML tidy, total validator etc are invaluable for website development and debugging. flashblock, foxyproxy, ietab etc make my browsing experience better.

    At the end of the day, firefox is just another piece of software, written by humans, and on it's own isn't enough to save you from becoming enslaved in a botnet (nothing like a bit of scaremongering early in the morning)

    0 0
  14. Anonymous Coward
    Anonymous Coward

    Simon Says "Use IE to demonstrate your moral integrity"

    Simon says "you're more likely to get caught out surfing "questionable" sites"

    What's your point? Presumably you're suggesting that IE is deliberately designed to punish people visiting p*rn sites. You're the one sounding like a cretin...

    0 0
  15. Magilla
    Gates Horns

    Re: Why is John (Post 12/10/2007 @ 03:50 GMT) a complete cretin?

    No browser is perfect, for sure - it's just that Internet Explorer is the least secure and least standards-compliant major web browser available. With out a doubt, the BEST ways to stop getting crapware from web pages are to (a) swap to *nix/*BSD/Apple or (b) swap to Firefox or Opera.

    Remember:

    1) Anti-[virus|crapware|malware|adware] makers are ALWAYS behind the ball. You can't make a fix for something until you find it, and you don't find it 'til it's in the wild, infecting computers. Prevention is better than cure.

    2) Anti-[virus|crapware|malware|adware] makers don't always remove ALL traces of any given infection. Over time, Windows gets bogged down with all sorts of traces of crap, and this issue just adds to it. Prevention is better than cure.

    3) No Anti-[virus|crapware|malware|adware] package is comprehensive. Most moderate infections require the use of 3-5 different scanner/removers, and then a final tidy-up by hand to get a machine clean. This can take up to a week to complete. Prevention is better than cure.

    Simon, I honestly don't care if you decide to use IE for the rest of your life, and hang the consequences*. I, however, will continue to use Firefox, and browse [virus|crapware|malware|adware] free, and advertisement-free as well.

    I recommend that everyone else do the same.

    *Consequences that could be severe and unforgiving, given the rate that IE tends to pick up nasties. I hope you don't net-bank. Really.

    0 0
  16. Anonymous Coward
    Anonymous Coward

    IE needs a condom

    "Just because people use IE DOESN'T mean they are at risk from being "enslaved in a botnet". Using various other software such as virus protection, anti-spyware and firewalls combat most of these problems."

    I'm with John on this, it's like saying "sure the brakes on this car fail, but that's what airbags are for!". Or "sure my girlfriend has aids, but I wear a condom".

    IE needs a condom and that condom needs to always work perfectly or your PC dies a gruesome death.

    0 0
  17. Rupert Wilson
    Paris Hilton

    Smiler mugged in surprise attack by his own smugness

    Simon

    So Firefox authors could have predicted IE7 sending 'attack' code at it?

    Actually, yes, that it exactly what they should expect, what we should ALL expect from Microsoft software; we should expect the worst in order to enable us to have suitable defenses in place for our own safety.

    ...so, contrarily, installing and using Firefox is really not such bad advice, even if John seems to have been imbibing with Nostradamus last night.

    Okay, it is jolly good advice - personally I advise all my customers to keep Internet Explorer use to the minimum, and to use Opera or Firefox or Seamonkey first on all occasions, before troubling with the unknown perils of microsofts standards non-compliant browser. This is just the most likely best route to avoiding trouble, esp. if combined with sensible surfing habits.

    Now, how do I get enslaved by a botnet using Firefox... let me see... Did you just say it is impossible?? Really?

    0 0
  18. Mark

    (Too Simple) Simon

    But IE will be invoked when you read an email, and how is a link to a crafted page to be known by your virus checker as a bad webpage?

    When the US Gov introduced a backdoor network hack so that they could catch criminals using windows, Norton (I believe) said they wouldn't check for it's signature. OK, I *think* that was withdrawn, but if the US Gov didn't announce publicly the next keylogger..?

    Since the Help system MUST use (why???) IE, a program that isn't itself a trojan can carry one in the help for that program in a maliciously crafted webpage link.

    When you download a media file, WMP uses IE to go to the webpage linked to in the music file to download a codec if one isn't available.

    So many ways for the OS to use IE what can you do to stop it?

    0 0
  19. Kevin Johnston

    Running IE through choice?

    Apologies to both John and Simon but you are both coming at this wrong. I think a more significant problem than your browser of choice is that some applications force IE to launch for things like online help because they don't understand you should have a choice. IE is inextricably linked to the OS (so microsoft say) and there is no simple way to remove it so you are stuffed when someone such as your ISP decides that not only will they force IE to be your default browser when you run the setup for their hub (I know, only an idiot would use their ISP's hub) but they automatically try to upgrade it for you to the latest version so they can add their whizzy front-end promoting themselves.

    Sorry this runs on and there is probably a whole raft of assumptions causing people to load up for a full broadside of flamers but I'm only a step or so above the 'knows enough to be dangerous' level and so probably am around the median for knowledge of this wonderful world of IT.

    0 0
  20. Anonymous Coward
    Anonymous Coward

    <insert yet another ad for firefox here>

    Strangly I've been running both IE and Firefox for about 10 years and with a bit of due dilligence I've managed to stay malware free for that entire time.

    TBH if your on a dodgy site then you expect dodgy stuff.

    0 0
  21. Anonymous Coward
    Anonymous Coward

    Another Firefox 'fanboi' writes

    Actually, IE /is/ that bad. And I've got to say trying to shame the victims of IE security issues by suggesting they should avoid looking at porn is the most outrageous, childish and offensive smokescreen I can imagine.

    This argument is the suggestion that it is acceptable that your browser effectively trusts thousands of unidentified servers, many of which allow their users to contribute content. It's also got some kind of weird karma / sin element I find pretty repulsive.

    "Oh, your computer got a VIRUS? What HAVE you been up to?"

    Bah. Clown.

    0 0
  22. Anonymous Coward
    Anonymous Coward

    The Status Quo

    "IE 7 must be running on earlier versions of Windows, such as XP or Server 2003. "

    XP and Server 3 are the defacto CURRENT versions for most people.

    Vista is merely a figment of microsoft's imagination that no REAL user trusts -- and as for servers, most of those offering anything newer than s2003 are offering LINUX.

    0 0
  23. Philip Bune
    Gates Horns

    M$ & IE

    With the open source browsers there are numerous people working on bug fixes so they get fixed faster. With IE though it is all insular & any bugs are slow to be fixed. "Firefox, Opera, Safari, Sea Monkey, Netscape" a multitude of alternatives if you are willing to take the time to try them.

    I think the majority are still IE users only due to the fact it comes pre installed with all M$ installed PC's. They managed to kill off Netscape in the 90's by dominating the market with this business method & it has taken a long time for the third party players to break the grip of IE.

    I use Firefox as I prefer how it operates not because of the security.

    0 0
  24. Glenn Gilbert

    IE *is* the main source of problems...

    Interesting to compare the number of infections as a result of running IE and *any* other browser. I think you'll find a correlation between malware infection and IE.

    Given that one rather contemporary infection route is through infected adverts & iframes, one doesn't need to be surfing dubious sites to be caught out - Facebook, MySpace and others have all been "spreading the love" to IE/Windows users recently.

    It's odd, but Opera, Safari, Firefox and Konqueror don't seem to suffer in the same way as IE. Why is that?

    0 0
  25. Anonymous Coward
    Dead Vulture

    Well....

    Well to be entirely fair IE is an obsolete browser, when you compare the sheer amount of effrt and devlopment within the mozilla community as opposed to the redmond monolith... don't forget Opera either which is also an excellent browser. Heck even if the choice was I.E. or Lynx, i would still use Lynx !

    0 0
  26. Anonymous Coward
    Thumb Down

    Why IE?

    Because some organisations allow theirs techies/suppliers to craft sites that will only work with IE :-(

    And while I may hate using IE, ultimately I want to buy/access a particular service and am sometimes forced to crank up IE. I just wish that the companies with such sites would start to sue the web designers - on the grounds of P!$$ing of customers and damaging their business.

    0 0
  27. Cris Page
    Gates Horns

    Broken sites

    Broken site? No sale then! Instead they get an email from a template I have informing them that their broken and badly coded site cost them a sale, and that under no circumstances will i consider using IE for web transactions. There are plenty of other vendors out there who maintain properly coded sites that work in all browsers, they are the ones who get my money.

    If It wont work in Opera (default) or Firefox (back up) I dont go there, its that simple.

    0 0
  28. Colin Morris
    Thumb Down

    Why people are still using IE - Corporate wise...

    The trouble with Firefox is that it cannot be controlled via Group Policy. If it was then Firefox market share would be massively increased as sysadmins in managed corporate environments would be easily able to configure it with Proxy settings and other policies.

    firefox may well be more secure but until the developers get their heads out of their arse and develop a Group policy controlled MSI installer then Firefox (unfortunately) will never get more the 20% of the browser market.

    0 0
  29. Anonymous Coward
    Gates Halo

    why use IE, I'll tell you why we use IE

    I've used IE for years no bot infections here. Why do sites code for IE hmm could be because 90% of the browsers that hit my website are IE it doesn't make business sense for many companies to code a page for another browser if that other browser will generate less income than it would cost to develop the pages for that other browser. So that 10% that use something other than ie when they hit the main page can go piss off. That 10% is widely spread to, Galeon, K-Meleon, Konqueror, Links, lynx, Mozzila, mozilla firefox, netscape, opera and safari. So in actuallity out of 18461 visitors last month using something other than IE that small bit using firefox if i really dug into the stats I bet most switched to IE in order to purchase. Also with many sites also agreeing that IE still controls 70-80% of the market doesn't make business sense to spend money and not get a return on that investment. Business is driven by $$$$ so untill business see a drop in revenue or a larger increase in market share by firefox why develop pages.

    0 0
  30. Chris Cheale

    Grow up, IE isn't as bad as you Firefox fanbois make out...

    yes, yes it is.

    I always thought it was bad idea to tie the OS into the web (i.e. is just Explorer with a different GUI - it's all mshtml.dll). To make matters worse, it's not even the security that jars me off most about IE, go into your Internet Options and kill virtually everything and IE can be secured somewhat, no, what really hacks me off with IE is that it is so frigging out of date. IE7 just added fluff (me-too stuff like tabs) and fixed _some_ off the css rendering errors but it's still years behind Opera on a technology level.

    While Opera continues to innovate with a decent GUI and Widgets (with Firefox right behind "borrowing" all the best features - "mouse gestures" - yoink!)... IE seems to get a new lick of paint occasionally but that's about it, it's still the same old Trabant. Of course, being MS, half the "innovations" they do come up with are there merely to break existing conventions/standards (JScript to ECMA Script, ASP to CGI .. it IS a CGI). I think the last innovative thing MS did with IE was the ActiveX plug-in that eventually became AJaX. Though AJaX has now been standardised (just about) IE still uses an ActiveX plug-in, albeit a different one. You still need to write separate code to parse XML with Java[ECMA]Script; once for IE and once for everything else.

    I just chop and change between Opera and Firefox (Opera is better for browsing, Firefox has better developer plug-ins)... I only use IE as part of testing my code as that's what most people think of as a browser.

    I totally agree with the comment about sueing web developers who code IE-only, they're one step short of con-artists and give those of us who do actually give a damn, a bad name... it's not like (X)HTML or CSS are difficult and that's the only code your browser must work with. JavaScript should never be integral to the functioning of a site and PHP/Perl/ASP/Java ... etc are all server side (you just need to make sure they're outputting decent client-side code)... there's no excuse for getting client-side (outputted) code so badly wrong.

    8 errors on this page btw El Reg, you're not converting your ampersands to HTML entities :P

    0 0
  31. Phill Holland

    web dev.

    Speaking from a web developers point of view, it really is a huge pain in the backside to develop a website that will work on all variations of websites. Often it takes alot of time and resources that most developers working to a deadline will not have.

    My main gripe is that having got something working perfectly well in firefox, I then have to test it in IE7, and more often than not it doesn't work; either some of your javascript syntax no longer functions, or placement of controls isn't where it should be anymore.

    Quite honestly having all these different browsers kicking around is a development nightmare, its just plain easier to pick one and stick with it.

    apparently, this is the reason web standard documentation exists, now if only we could everybody in the browser development world to read it and agree on its meaning, maybe web development could mature into something more professional and exploit free.

    0 0
  32. amanfromMars Silver badge
    Pirate

    OSSpooks Mining for Plunder not Browser Pages with Honey Traps?

    Is it not more a case of Windows which allows infection/snooping/entrapment rather than any browser [in-house or third party] facilitating the sharing/viewing of information?

    Step back and take a look at the Big Picture for you may be missing the wood for the trees.

    0 0
  33. John Bishop
    Joke

    Same old stuff

    IE vs Firefox

    MS office vs Open office

    Windows vs Mac

    Windows vs Linux

    MS are evil/fantastic

    The iPhone is great/rubbish

    What would we be talking about on el reg if these topics were all banned?

    John

    0 0
  34. BitTwister

    @ why use IE, I'll tell you why we use IE

    > Why do sites code for IE hmm could be because 90% of the browsers that hit my website are IE it doesn't make business sense for many companies to code a page for another browser

    Funny that - before IE got stuffed down users' throats the 'W' in 'WWW' meant 'World' - you know, as in 'World Wide Web'.

    The fact that someone, ANYONE, attempts to justify that first 'W' as meaning 'Windows' is reason enough to not use IE.

    And surely coding a website to conform to open standards so that ANY browser can properly render the page would make much better business sense - or do you actually know of projector companies who prefer to use transparencies for their business letters instead of paper like everyone else?

    Ho hum - another day, another instance of Microsoft pushing in their one-sided, proprietary 'standards' through the back door...

    0 0
This topic is closed for new posts.