New Attack Fells Internet Explorer 202
Posted
by
Soulskill
from the tricking-an-old-dog dept.
from the tricking-an-old-dog dept.
alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."
Versions 6 & 7 (Score:2, Informative)
CSS Behvaiors? (Score:2, Informative)
A great reason to choose Firefox (Score:4, Informative)
Re:Not aware of a patch? (Score:3, Informative)
VUPEN Security is not aware of any vendor-supplied patch.
I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?
Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.
Re:Virus warning (Score:2, Informative)
Re:Oh good Lord *facepalm* (Score:2, Informative)
The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!
Re:Is that supposed to be news?? (Score:1, Informative)
The US Air Force only released IE7 to its non-classified desktops earlier this year. Widespread Vista deployment has been pushed from early 2008 to mid-2010 (and that's just the current "best-case" estimate, I expect more delays). IE is necessary for logging into many, many DoD websites using the Common Access Card [wikipedia.org].
Re:Is that supposed to be news?? (Score:2, Informative)
I said a *few* years..... as in more than one. Not 90.
Re:Is that supposed to be news?? (Score:3, Informative)
Who ever they are, they have bigger IT problems than this exploit will ever generate.
A lot of people- you'd be surprised. Earlier this year I worked for a place where at least a third of their customers (from academic departments, mostly) were still using IE6 and various IE5 versions.
Re:Is that supposed to be news?? (Score:3, Informative)
old != unpatched.
For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.
Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.
Re:Oh good Lord *facepalm* (Score:1, Informative)
http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of-the-problem/ [theappleblog.com]
http://blog.trendmicro.com/more-mac-malware-in-the-wild/ [trendmicro.com]
http://lwn.net/Articles/222153/ [lwn.net] - Linux botnets
http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry [computerworld.com]
This is just a small sample. Let's all take security seriously, and leave religion to the gods. (and to head of the claim that it doesn't count if the user has to install something, like a pirated malware-infected Photoshop for OSX, that is the most common Win vector these days as well. Malware is the problem, not viruses.)
Re:Virus warning (Score:3, Informative)
Yes, it detects the code on display, not an actual exploit.
It is crappy AV software.
Re:Is that supposed to be news?? (Score:3, Informative)
Allow me to translate from trollspeak. "no way of doing that" means "no way of doing that, that I could find by clicking around for a minute on the GUI." In this case, I don't even think they did that, because there are options to change how often it prompts for updates, and for applying security updates automatically without prompting.
I really like Ubuntu's choice of default behavior here. Prompting the user to apply updates means no "I lost data because it upgraded while I was in the middle of working on it" kinds of complaints. My wife can wait to apply updates until after an important task she is working on. I can see what packages are being updated before applying them so I know where to be on the lookout for potential problems.
Maybe it makes me an elitist, but I also like that you have to know what you're doing in order to change that default behavior too much. Most of the complaints about foolproof features in software come from people who don't think they are the fools.