Exploit?
Internet exploder has an exploit?
Windows has an exploit?
I'M SHOCKED!
It could be a joke, but we all know it isn't (*SIGH*)!
Internet Explorer users have been told to ditch the application and switch to another browser, pronto. The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites). …
...I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier.
I also used to use IE8 out of dogged determination to follow the local IT rules on the principle that if the tools I was required to use reduced my efficiency that was my employer's problem. But eventually I just had no choice but to move on to FireFox or get no work done at all!
"I point-blank refuse to have admin privileges on my XP login at work, even if it would make both my and IT-support's lives easier."
As a former IT support analyst your statement intrigues me.
In what way would you having admin privileges on your account make life easier for anyone except yourself? There really is no reason to have such privileges unless one IS an administrator, quite the opposite in fact, as anyone with the ability to stuff unauthorised, untested applications and generally interfere with the PC is the stuff of the IT department's nightmares. Believe me, as the saying goes "A little knowledge is a dangerous thing."
No, unless you have some absolutely desperate need for hands-on control of your PC leave that pleasure to the poor souls who are paid to do the job. Even then get the support of the IT department when contemplating any changes to your set-up whatsoever.
Think of it as an insurance policy. If you mess up the machine someone somewhere is going to have to pay for it to be put right. If the IT department messes up, it's up to them to fix it under the SLA at no cost to you.
I used to work in the IT department at my university (shudder). Now I am out in the faculties, some of the IT people would love nothing more than for me to fix my own problems and install my own software so they don't have to (to be fair, they are genuinely understaffed). I would like nothing less - I never wanted to mess around with computers at that level, it is something I will do (quite well according to my manager there) for money, but not for 'fun'! Certainly not for free. Definitely not Wlndows!!!
I know all about the dodgy stuff that academics think they are qualified to install, having pulled enough data-recovery miracles after-the-fact in my time, and given enough "well, that's why we don't want people doing that" talks ten times as often (we are talking data worth potentially hundreds of thousands of dollars and several years' work - no, a USB drive from the local office shop isn't going to be as reliable as the expensive tripple-off-site system you balked at paying for space on, there is a place in Melbourne that can scan the dis-assembled platters in a clean room if the data is worth enough...).
Probably my experience with such things is why they would trust me (and the fact that I actually keep my data on the right storage volumes where they are protected from local machine failures, etc. etc.). I am probably one of the last people in the university to submit the required use-case to get firefox finally installed (not a program I am particularly keen on either, but at least it renders the pages I need).
Well you can run most programs without admin rights, but then its the realm of having to give users write access to the program folders which if a user knows about can be abused. It just takes some time as generally the developers of the program after saying, "Why do you write temp files to the root of C, why not use a temporary folder like everyone else" will request lots of money for their software no-one in the IS/IT department likes.
I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them.
Moreover, the reason for such behavior is often outright stupid, such as the software wanting to write to some file (usually in the install dir) to which only users in the admin group have write privilege. If the author of the software can't even get this sort of things right, the software isn't worth the diskspace it occupies.
"I regard such software (exemptions granted of course for software explicitly intended to run administrative tasks) as extremely badly behaved and will refuse to use them."
I got the impression that's most bought in specialist apps in the NHS.
Good thing you don't work for them is it not?
Can be as simple as, "the damn software is run by four people, has monthly updates which require 30 minutes on each system to install, and since they change the install parameters every month, can't be easily automated, so it's easier to just give them admin privileges to install the updates."
Or, as was the case after we just finished creating our first "standards compliant secure Windows 2000 environment," you discover that MS's new release of the programming tool every programmer in the office needs REQUIRES administrative privileges for the software to run.
IE being "part of the OS" is one of those confused ideas that gets blamed for much that doesn't make sense. It's only "part of the OS" in the sense that it is packaged as a shared library that other applications and services can use. Beyond that it's just a user-mode application like anything else.
As for bypassing ASLR, I'm not convinced that's too big a deal - it's never been a particularly strong way of protecting an OS anyway. It'd be rather more useful to know whether the exploit can break out of Protected Mode IE (whereby IE normally runs with less permission than a standard user as long as UAC is enabled) as neither the Rapid7 post or MSFT's advisory is entirely clear on that one.
El Andy,
Not trying to be disagreeable, but the rumor/FUD/whatever-you-want-to-call-it that IE exists at a lower security context than a normal application is an old, well established one... so is there any way to verify (source?) that "it's just a user-mode application like anything else" and does not make use of what would normally be restricted calls and methods?
Regards.
Rapid7 might look a bit more knowledgeable in all this if they actually managed to make their own website correctly detect browsers, instead of putting up an "Attention IE6 user, you need to upgrade your browser" when visited in IE10. What exactly is the point of an advisory that the very users you're supposedly warning can't read because you don't know how to write HTML properly??
'Because a browser has a security bug we should stop using it? '
...'Software gets exploited, the important thing is that the bugs get addressed not that they exist.'
Yes and no. You don't scrap your car and buy a new one if it breaks down once, but if it breaks down every week and every other car by the same manufacturer breaks down every week, then maybe it's time to buy one from someone else don't you think?
Because the vulnerability affects functionality that was not implemented in the older browsers?
IE10 isn't just IE6 with some of the broken bits fixed. It's a whole new turd sandwich - the bread maybe the soggy, mouldy exterior that we are familiar with, but you can notice the smell isn't quite as bad and the brown colouring of the filling is more pleasant on the eye.
...that i.e. is less susceptible to a certain attack than many of the other browsers...
Ooo look here it is.
http://www.theregister.co.uk/2012/08/21/tesco_ico/
(following link to)
http://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html
Quote:
"Just on the browser compatibly for that XSS: IE9 and IE10 are actually pretty good and will warn you about it without exexuting it. All other browsers tested – Chrome, Firefox and Safari (desktop and iOS) – will happily parse it and allow the exploit to occur."
So lets face it, use one browser your screwed one way and use another and your screwed another way.
...that has bugs, now not IE (taking a pop at the favourite browser again) because that has a bug which can infect your machine when you browse to dodgy, badly maintained sites.
What about all the other software with bugs in it?
I'm not saying IE is better than the others, I'm used to it and am well aware that other browsers can be better and can be worse. Security of software it a process, not a state. My money is on Microsoft at the moment when it comes to process and support and the feed through to consumer and the enterprise.
Recently I had cause to contact the DWP and had difficulty with their on-line form. The contact centre refered me to this link.
http://www.direct.gov.uk/en/Pensionsandretirementplanning/StatePension/DG_183111
Unfortunately it turned out that my PC isn't old enough to discuss pensions.
Operating systems and browsers
The service is not currently available using Macs or other Unix based systems even though you may be able to input information.
Our service currently works with the following operating systems and browsers:
Microsoft Windows 98:
Internet Explorer versions 5.0.1, 5.5 and 6.0
Netscape 7.2
Microsoft Windows ME
Internet Explorer version 5.5 and 6.0
Netscape 7.2
Microsoft Windows 2000
Internet Explorer version 5.0.1, 5.5 and 6.0
Netscape 7.2
Firefox 1.0.3
Mozilla 1.7.7
Microsoft Windows XP
Internet Explorer 6.0
Netscape 7.2
Firefox1.0.3
Mozilla 1.7.7
Its really hard to seriously address this.
First issue is that at some point, as others have said, every browser has a "oooooooo nooooooooooos exploit" moment. Thats life, thats software, the bastards are always out to get you.
Second issue is that for things other than random website browsing, browser brand and version become a massive headache. I've got MSIE, Firefox and Chrome on my work PC just to be able to make the websites and applications I need to use work correctly.
Combine those two things together and all you can hope for are fixes for issues as they come along and to be honest, all of the three I use do do that.... maybe not in time for some nasty 0day, but nobody protects you against 0day.
It's fast, doesn't crash, conforms to standards, consumes little memory and is highly secure.
Everyone loves the Trident rendering engine, and the tight integration with Microsoft's 'ecosystem'!
This site (http://browseryoulovedtohate.com/) states it so, therefore it must be true!