New Attack Fells Internet Explorer 202
Posted
by
Soulskill
from the tricking-an-old-dog dept.
from the tricking-an-old-dog dept.
alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."
Virus warning (Score:0, Interesting)
Not aware of a patch? (Score:2, Interesting)
I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?
What the world needs (Score:5, Interesting)
is a definitive software engineering treatise on the history of IE security exploits.
It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?
Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.
Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?
Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?
These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.
Re:Not aware of a patch? (Score:1, Interesting)
IE 8 is not a patch since it requires reading a new EULA. I'll stick with the version that does less spying thank you.
Re:What the world needs (Score:3, Interesting)
Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)
Re:A great reason to choose Firefox (Score:3, Interesting)
It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.
Re:Is that supposed to be news?? (Score:5, Interesting)
Using SAP by any chance ?
In my former company, they use SAP and it's absolutely an IE only application for its web interface. It doesn't work *at all* with Firefox. At least that was the case when I was working there (We were using SAP ECC6)
Re:Is that supposed to be news?? (Score:1, Interesting)
Re:Is that supposed to be news?? (Score:4, Interesting)
Drat, improving technology keeps programmers employed.
Double drat- your reluctance to update combined with a propensity to complain keeps additional people employed just to make sure things continue to look pretty on your screen.
MSIE version 8 is not known, according to TFA. (Score:3, Interesting)
Some users, like office workers, are not in control of the computers they use and cannot switch away from what they were given. Sometimes they were set up with particular versions of software to suit other programs. The "Banner" system some universities use, for instance, requires MSIE7 and a particular old version of Sun's Java runtime. Certain sections of Banner don't work properly with non-MSIE browsers like Firefox. I understand this is an extremely costly system and switching away is considerably complicated. I'm not endorsing these choices or claiming any of these choices is wise, but it is there.
The article also says the status of MSIE8 is not mentioned by the researchers [networkworld.com]: "Neither company [Symantec and Vupen] was able to confirm that the attack worked on Microsoft's latest browser, IE 8.". What part of what article were you referring to?
Re:Oh good Lord *facepalm* (Score:1, Interesting)
Not all of us can afford the cost of updating our OS...
Of the 2 systems I own, one is a laptop with a nonfunctional screen (which is still semi-useful for some things via ssh) and the other is a desktop with a CRT. Neither have over 768MB of RAM.
This isn't going to change anytime soon.
I just don't have the money to update my hardware, as I'd need to do to run Vista or Win 7 (much less the price of the OS), but I can run fully updated Linux systems no problem.
I realize this article is about IE, but you mentioned the OS and XP is no longer really supported.
Re:Is that supposed to be news?? (Score:1, Interesting)
No, software in a vacuum doesn't wear out, but security never stays still. OBAuto example:
In the 1950s, cars used wafer tumbler locks. Mechanically, they were fine, but when people found ways to defeat those, they went to Briggs and Stratton sidebar locks [1], then to either "laser-cut" or sidewinder tumblers, finally to physical and RFID security. The lock itself could last for years or decades, but because car thieves have advanced, they were replaced in subsequent model years with other designs that had harder to duplicate keys and higher pick resistance.
It is just the same with computer software. Security software can never be static. Even fairly static utilities like pwgen get upgrades with better RNGs as time goes on. Over time, other basic utilities like login have moved the passwd file into two files (/etc/passwd and /etc/shadow), password hashing algorithms changed from crypt(3) to MD5 to SHA, to using a hash, SHA, and using a number of rounds to slow down brute force guessing.
[1]: GM cars used these for a long time, because they were simple, pick resistant, and could weather all kinds of conditions. However, Briggs & Stratton sold that division to Assa-Abloy or Medeco, staying with their tried and true engines.
Re:Is that supposed to be news?? (Score:3, Interesting)
Re:Is that supposed to be news?? (Score:3, Interesting)
Software doesn't wear out.
Yes it does.
When the world around a piece of running software changes, that piece of software in the middle often doesn't work like it used to. Yes, it's contextual, but it's also mostly true. It's often (humourously) referred to as the "principle of bit decay".
Basically, if it works, it's obsolete.
Re:Is that supposed to be news?? (Score:3, Interesting)
What is the improving technology?