back to article Unpatched IE bug exploited in targeted attacks

Unknown attackers have been targeting a previously unknown vulnerability in Internet Explorer to take control of machines running the Microsoft browser, security watchers warned on Wednesday. The exploits were hosted on a page of an unidentified website that had been breached without the owner's knowledge, according to …

COMMENTS

This topic is closed for new posts.
  1. Neal 5

    So

    OK, targeted attacks. Any info you care to share, like what is the website that is malicious.?

    Yep, lots of flak for Microsoft again for an unpatched unknown vuln, and yet no real real antipathy for the real culprit, the author of the malware.

    Can I ask, one more time, when will you see the situation for what it really is.?

    I think you will find that any version of IE or any version of any Microsoft product actually does do what it was designed to do. The problem lies elsewhere than in Microsofts hands alone.

    Please focus your attention on the real problem. 1000 anti Microsoft words do not dilute the problem, they just show a lack of comprehension on your part. Even if you say that you are just representing the facts, I question your bias, the reality here is a malicious attack by perpetrators as yet unknown, not Microsofts failure to address the problem. If there is a problem, it is your failure to represent fairly, the nature of the attack. Many people would like to know what,where,when and how the attack takes place, not just that Microsoft haven't yet fixed a problem beyond their control in the fact of deployment and method of attack.

    I am sure Microsoft will rectify the code that allows the malicious attack by the perpetrators once all the analysis has been done, but it isn't anything that can be planned for in that much of a specific manner. Unlike your bias which is premeditated and constantly on show.

    So just to balance out your bias, here for those actually interested in security, are the latest for Linux, and that's just so far this week, by my calendar, in my part of the world, there is three more days to go. And Mozilla haven't exactly worked overtime to fix their bugs either, so switching browser isn't a going option really either.

    http://www.linuxsecurity.com/

    1. Notas Badoff
      Grenade

      Elsewhere, over the rainbow...

      "The problem lies elsewhere than in Microsofts hands alone."

      Um, yes, we could shut down the Internet for a month. Or nuke a couple continents, is that why you wanted to know which website was serving malware?

      "Can I ask, one more time, when will you see the situation for what it really is.?"

      There is the phrase "face-palm". Is there a phrase "face-mirror"?

      The bug is in Microsoft code. The fix will be in Microsoft code. Nothing practical that anyone else does will change that. (well, except avoiding Microsoft code).

      Are you somehow suggesting that everything else bad/wicked/malevolent/stupid out there in the world *must* be fixed, first, as that is the *real* problem, rather than blaming Microsoft for yet another bug that should have been caught by their much vaunted internal code reviews that they reassured the world would make them "much better now"?

      Sancho, did the Don get away from you again? Can you keep him away from the keyboard at least?

    2. Anonymous Coward
      Anonymous Coward

      @Neal 5

      Were you reading a different article? I thought the point was that the attack only affected those who were not running IE8 (or other up to date browser). Take a chill pill and relax.

      My current and previous employers both continue to use a standard desktop build at least a year behind current MS patch levels and which includes IE6 and similarly outdated Acrobat, Java, etc. I am surprised there are not a lot more such attacks - but perhaps there are a lot more attacks but the victims are keeping quiet or don't even know.

  2. Anonymous Coward
    Anonymous Coward

    Maybe Microsoft...

    Maybe, yes, Microsoft are not the only ones to blame here for the fault; while there is the small matter of those who find such faults and abuse them, it is quite important to note that this is a vulnerability being exploited right now and no fix is apparently forthcoming for 6 weeks.

    Yes, other platforms have issues, other platforms do get them but rarely are they going to just sit and wait for 6 weeks to release a patch when they are actively being abused.

  3. Remy Redert

    @Neal

    You want a secure browser? Opera and Firefox with Noscript are both very high up on the secure list, with Chrome and no doubt half a dozen lesser known browsers right behind it.

    As for doing what it was designed to do? You're implying that IE6 and IE7 would be able to effectively browse the web, if everyone had used HTML and CSS as the standards laid them out, instead of specifically coding for IE6 and IE7 and letting the rest of the world either use a seperate website (With properly coded HTML) or just screwing them over and leaving them with partially (Or entirely) non-functional websites?

    IE8 was a huge leap in the right direction, IE9 looks like it might actually adhere to the standards, but while IE8 is hugely more secure than any previous version of IE, it still does not hold a candle to Opera and Firefox. Perhaps IE9 will finally put Microsoft somewhat on par with the rest of the browser world.

  4. petur
    Boffin

    CSS

    Funny that the vulnerability is in the CSS code. Seems that not quite following the standards isn't the only problem of this code :)

  5. Boris the Cockroach Silver badge
    Unhappy

    If only

    the damned browser was'nt tied into the OS so closely, the attack sequence would go like this

    <website> download dodgy code

    <browser> hey lets execute code and change core system files to run the malware

    <OS> like f**k you will, block and crash browser

    Instead of the m$ way of

    <website> download dodgy code

    <browser> hey lets execute code and change core system files to run the malware

    <OS> sure go ahead. opps you seem to have hosed all my dll files, and sent every password/cookie off to a Russian server Oh dear I've crashed

    Boris

    <<still sulking after a poxy VBscript that loaded a worm trashed his WinXp box

  6. Tzael
    Grenade

    Attributable quote

    "data execution prevention – which is turned on by default – causes the browser to crash rather than to remotely execute the malicious code, Microsoft said"

    ...

    Putting words into Microsoft's mouth eh?

    "the cpu itself, the hardware will 'access violate and then terminate the process" is actually how Microsoft describe DEP according to the information available from the 3 links posted at the bottom of the article. Nowhere in the information available from Microsoft do they call it a crash... It's a forced access violation declared by the CPU when an attempt to execute code from non-executable memory occurs. As any programmer will tell you, an access violation need not result in a crash if handled gracefully - and that's one of the advantages of DEP.

    1. Adrian Midgley 1
      Thumb Down

      "an access violation need not result in a crash if handled gracefully "

      Just for the record then ... how does IE8 handle it?

      back off and try again with a message, or program terminate unexpectedly. (Unexpectedly to the user, who will say "it crashed. Again.")

  7. Anonymous Coward
    Anonymous Coward

    Title?

    I'm not sure how "emails that lured .....people in targeted organizations to the booby-trapped page" can be described as "The exploit required no interaction on the part of victims". Surely opening an unsolicted email from an unknown sender with suspious content and clicking on a link is 'user intervention' - Of course MS and those nasty cyber criminal types are to blame - but if users stopped clicking random links in emails this wouldn't be a problem.

    And while I'm at it I'm getting so tired of reading "The report is the latest reminder of the benefits of moving ....to a different browser altogether.". Like, of course, Firefox doesn't have vunerabilities (except, of course, the vulnerabilities in Firfeox 3.5 and 3.6 announced last week etc. etc.). If you prefer Firefox, Chrome, Safari, for its functions or speed - great - but don't fool yourself into believing changing browser will improve security - if you want security DON'T CLICK RANDOM LINKS IN EMAILS - got it! :-)

  8. Anonymous Coward
    Jobs Horns

    Narf! So MS Drones, how are we going to get people to move from IE6 and IE7 so

    we can take over the world tonight?

    Well Pinky, we've got this list of vulnerabilities for our code that we haven't figured out how to fix yet, and Guido just downloaded some new exploit code from a hacker site. We think if we tweek the code a bit, we can get it to compromise only IE6 and IE7 but not IE8. Then when the news media reports IE8 isn't vulnerable, we can get more people to move to IE8.

This topic is closed for new posts.

Other stories you might like