Forgot your password?
typodupeerror
Internet Explorer Microsoft Security IT

New Attack Fells Internet Explorer 202

Posted by Soulskill
from the tricking-an-old-dog dept.
alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."
This discussion has been archived. No new comments can be posted.

New Attack Fells Internet Explorer

Comments Filter:
  • by rpp3po (641313) on Sunday November 22, 2009 @11:38AM (#30193682)
    Yes, old, unpatched browser versions can be exploited. Is this a joke?
    • by UnknowingFool (672806) on Sunday November 22, 2009 @11:53AM (#30193784)

      old != unpatched.

      The article says IE 6 and IE7. It does not say unpatched. For many people these are their current browsers as they have not upgraded to IE 8. For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

      • Re: (Score:3, Informative)

        by RobertM1968 (951074)

        old != unpatched.

        For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

        Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.

      • Well, if the IT department knowingly insists on using (insecure and horrible anyway) IE, it knowingly insists on destroying the company. Which is a reason to tell the boss that either he kicks the IT department’s asses for trying to destroy his company, or you quit because there is no reason to work for a dying business.

        Simple as that. :D

    • Re: (Score:3, Insightful)

      It mentioned versions 6 & 7. Considering how long people hold onto their verison of IE, it will be ages until IE7 disappears. Also, MS does have some contracts with companies that means they're stuck on Win 2k for now which means nothing greater than IE6. Granted these companies could use FF but understandably they're paying for support from MS and want to use a browser they will support.

      If MS is going to be taking money for something like this then they should still be supporting IE6 and patching up
      • by DarkOx (621550) on Sunday November 22, 2009 @12:04PM (#30193888) Journal

        Considering how long people hold onto their version of IE, it will be ages until IE7 disappears.

        I really don't think you are right about that. There will always be those home users on dialup that don't run automatic updates ever but they are not very useful in a bot net anyway. Most people will get update to IE8 weather they mean to do it or not. IE 6 lives in the corporate space because it was around long enough for its own software ecosystem to develop in and on it. IE7 was around for like a year before 8 was released as beta and 8 does not break much compatibility with 7 its much less significant than 6 -> 7.

        I doubt there is much code out there target at 7 that does not work on 8. The projects that do would have to have been pretty small and would have been designed and completed in a pretty narrow time window between 7's release and the pretty clear public information on what was coming in 8.

        • by Ralish (775196)

          FYI: Microsoft commits to support the version of IE that ships with "x" Windows release for as long as "x" Windows release is supported. For example, IE 6 was shipped with Windows XP and so will be supported until Windows XP ceases to be. What this means is IE 6 is guaranteed to at the very least receive security fixes and limited bugfixes until sometime in 2014 when Windows XP leaves support. Similarly, IE 7 was shipped with Vista and will be supported until Vista ceases to be; contrary to what others may

          • Vista and will be supported until Vista ceases to be; contrary to what others may say, this is likely to be a very long time, I'd wager a minimum of 1 decade from RTM.
            Your wager would appear to be correct for vista business and enterprise their current plan seems to be a decade and a few months from "general availability" http://support.microsoft.com/lifecycle/?p1=11707 [microsoft.com] . I doubt they will reduce the dates but they may pull what they pulled with XP recently and claim some fixes are impractical to backport.

            G

      • by caluml (551744) <slashdotNO@SPAMspamgoeshere.calum.org> on Sunday November 22, 2009 @12:47PM (#30194262) Homepage
        I work for a very large bank, and IE 6 is the corporate standard. The banking platform is only designed to work with IE6. Some of the internal admin tools don't work with IE8.
  • by David Gerard (12369) <slashdot@davidge ... k ['co.' in gap]> on Sunday November 22, 2009 @11:39AM (#30193688) Homepage

    Microsoft Windows has once again trounced all comers in security, with a recent survey showing 59% of all Windows machines on the Internet being infected with malware and under the control of botnets. Malware rose 15% just from August to September this year.

    Windows users continued to be stupidly complacent Typhoid Marys, telling Mac and Linux users that they were every bit as susceptible to viruses and Trojans, despite the Windows:Mac:Linux virus proportions in the wild continuing at approximately 100%:0%:0% for the fifteenth year in a row, and pumping out gigabytes of spam and denial-of-service attacks from their thoroughly 0wn3d computing cesspits.

    “The truth is out,” said Steve Ballmer, taking care not to wash his hands [today.com] when preparing the food for his Windows 7 House Party. “Mac and Linux users are just too pussy for viruses. Gotta keep your immune system up! What are you, some sort of faggot? Too artsy or nerdy for MANLY food?”

    The time on the digital clock behind him changed at random as he foamed slightly at the mouth. “Windows — we’re NUMBER ONE! And here you were saying Windows was a load of ‘number two.’”

    • This is a huge problem. Many U.S. Government agencies have yet to move off of IE6. Especially the military. Mostly due to IT management contracts that require the gov't to pay for every little upgrade action. For a simple upgrade, one agency gets tagged per profile per month by the company that runs their IT. That same company has a policy of being 2 versions behind current. Meaning, it is actual policy to be running IE6, Office 2003, and XP/Server 2003. The approval process is so overtaken with red tape an

    • Re: (Score:2, Informative)

      by Blakey Rat (99501)

      The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

      • The problem isn't anything Microsoft doing, it's users who don't upgrade their OS.

        That may be a true description of this problem as it currently stands- but it stems from what Microsoft screwed up in the past.
      • The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

        Some users, like office workers, are not in control of the computers they use and cannot switch away from what they were given. Sometimes they were set up with particular versions of software to suit other programs. The "Banner" system some universities use, for instance, requires MSIE7 and a particular old version of Sun

      • by jpmorgan (517966)

        And it's only on XP. Vista and Win7 run IE in a sandbox for extra protection (unless you are a silly person and turned that off).

      • by westyvw (653833)
        What is this fascination with "upgrading"? IE 8 is not much of an "upgrade" at all, its another version that has its share of problems. I really dislike the windows world of versioning, FOSS generally makes a lot more sense to me. If there are security issues with IE, in 6 7 or 8 they should be fixed as incremental versions. If a complete re-write happened, then it should be released as a new version, and its not really an upgrade, but a change.
        • What is this fascination with "upgrading"? IE 8 is not much of an "upgrade" at all, its another version that has its share of problems. I really dislike the windows world of versioning, FOSS generally makes a lot more sense to me. If there are security issues with IE, in 6 7 or 8 they should be fixed as incremental versions. If a complete re-write happened, then it should be released as a new version, and its not really an upgrade, but a change.

          Be grateful it's a Windows numeric version upgrade, young padawan. The ones with clever names are the ones you need watch out for.

      • No. You THINK you’re immune. Because MS censors anyone who openly talks about the bugs. Behind closed doors (Russian cracker forums), IE8 and Windows 7 are as open a barn doors.

        The best hosts for your botnet client are those who are too arrogant to think that they could be the targets. ^^

    • You’re just jealous, that it’s not you who infected those computers. ^^

  • Versions 6 & 7 (Score:2, Informative)

    Specifically versions 6 & 7, says the article.
  • by Anonymous Coward on Sunday November 22, 2009 @11:40AM (#30193704)

    "According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

    So, are they referring to IE or the attack code?

  • CSS Behvaiors? (Score:2, Informative)

    If I'm interpreting this correctly, it would appear to be a buffer overflow attack against the "style" element. Seeing that IE6-7 are the only current browsers that handle CSS behaviors (basically javascript in CSS) I'm going to make an educated guess and say it stems from the validation (and execution of) Javascript in CSS.
    • by WD (96061)

      Not quite. There's no JavaScript in the CSS, nor is there a buffer overflow.

  • by kjart (941720)

    Affected Products

    Microsoft Internet Explorer 7
    Microsoft Internet Explorer 6

    Solution

    Disable Active Scripting in the Internet and Local intranet security zones.

    VUPEN Security is not aware of any vendor-supplied patch.

    I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

    • Re: (Score:3, Informative)

      by tepples (727027)

      VUPEN Security is not aware of any vendor-supplied patch.

      I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

      Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.

    • by mpe (36238)
      I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

      There are plenty of web apps (especially in the "Enterprise" environment) which depend of quirks of specific browsers. Most commonly IE6. Using a different browser means making major changes. At which point it probably dosn't matter if the change were to be to Firefox, Opera, Safari, etc. Indeed there are versions of Windows which won't run IE8, but will run modern non Microsoft browsers.
      Indeed if things are web
      • by funkatron (912521)
        So what you're saying is that people still run a crap browser because they need it to use badly written software. Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.
        • by 0123456 (636235) on Sunday November 22, 2009 @02:07PM (#30194948)

          Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.

          You haven't been in IT long, have you?

        • by mpe (36238)
          Surely one of the main reasons for having web based applications in the first place is to get some independence from the clients' platform.

          Not in the minds of certain web developers. It gets especially ironic where you have Apache running under Linux refusing to talk to anything other than IE running under Windows, by deliberate design.
      • by lamapper (1343009)

        There are plenty of web apps (especially in the "Enterprise" environment) which depend of quirks of specific browsers. Most commonly IE6. Using a different browser means making major changes. At which point it probably dosn't matter if the change were to be to Firefox, Opera, Safari, etc. Indeed there are versions of Windows which won't run IE8, but will run modern non Microsoft browsers.

        Only if some pin headed manager allowed his web developers to continue to code sites with IE specific hacks.

        I learned back in the Netscape days, if you developed in Netscape it just worked in all other browsers, however if you developed in Internet Explorer, you would invariably use some IE specific coding that would break in many if not all non IE browsers.

        Microsoft made a business decision to attempt to corrupt the W3 standards with IE specific crap for vendor lock-in reasons only. Some people stupid

  • by simsodep (1683906) on Sunday November 22, 2009 @11:59AM (#30193840)
    There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep [sodepabc.com] using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.
    • by jbacon (1327727)

      It sounds like the root flaw actually lies in your own login implementation. I guarantee that IE is capable of handling sessions. If you have a website that makes you money, you should realize a couple points: First, most of your userbase runs IE. Having the site unusable in said browser is very bad. Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it.

      • Re: (Score:3, Interesting)

        by Zero__Kelvin (151819)

        "It sounds like the root flaw actually lies in your own login implementation."

        "Second, special casing code for IE is a fact of life in the web development world, and you should just get used to it."

        It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effe

        • ...a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run. In fact, if there weren't so many web designers with root flaws in their logic akin to yours, it would benefit in the short run. About the third or fourth time the user had to choose to use a standards compliant web browser or stop visiting the site(s) they want to visit, they would get the message.
          • "It sounds like a repetitive Ayn Rand novel with all the intellectual web designers going on a new strike every time less buggy browser versions come out.

            That's probably because you mistakenly think that IE not being standards compliant, and Windows in general turning your computer system into a petri disk are the result of bugs rather than an intentional part of the design. One would be foolish to claim that Microsoft doesn't intentionally make their software products non-compliant. If you pay attention

            • As true as that may be, if you refuse to serve pages to people with old browsers they won't "get the message" you imagine.

              Essentially what you suggested would require that everyone in the world who serves HTML pages should join in a concerted effort to dictate terms to those in the larger public who request them. HTML is too cheap to get away with that.
        • It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com and articles backing up the claim would be much more effective in the long run

          Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy....

          • "Because turning away potential customers who don't have a choice inthe browser they use (a huge corporate population is stuck on IE6) is always a sound strategy...."

            I was unaware that huge corporations don't have a choice when it comes to web browsers!

            The users that are doing legitimate business will file a ticket against the issue. I have a feeling that when IT gets thousands of tickets a day, all complaining that they were incompetent morons who decided on a non-standards compliant piece of garbage as

            • Re: (Score:3, Insightful)

              by Tim C (15259)

              More likely the users would complain, management would haul the IT chief in to a room to ask what was going on, and he'd explain that the users were wasting lots of time filing frivalous tickets trying to access sites for non-work purposes, and management would issue a statement telling them to stop wasting time and money.

              In the home space, people would simply go "Huh? But then I won't be able to use my other webs!" and go somewhere else - especially if it's a commercial site they were looking to make a pur

              • "he'd explain that the users were wasting lots of time filing frivalous tickets trying to access sites for non-work purposes ..."

                Your assumption is that web browsers are used at work only for non-working purposes. Since that isn't true, if the IT "cheif" told that lie his lie would quickly be exposed, and he would be replaced.

                "Amazon won't serve me? I'll go to B&N, or eBay, or any of a huge number of other companies that will be more than happy to take my business."

                You're really not getting this concep

            • The users that are doing legitimate business will file a ticket against the issue.
              Of course there are a lot of websites that people use at work a lot but not for work related purposes. Slashdot would be an example of such a site.

              Even if the user is doing legitimate business stuff do you think they are more likely to try and fight the bureaucracy and if they win maybe come back and order something from you months later or just move on and get what they need somewhere else?

              The only way such an act could work

              • "Slashdot would be an example of such a site."

                When you make false assumptions, your conclusions will necessarily be mistaken. Many people use Slashdot for work related activities. There is a lot of garbage here, but there is a lot of stuff related to your work if you have a real High Tech job.

                "The only way such an act could work is if a large number of large websites got together and did it at the same time. Something I doubt would happen."

                You obviously haven't read the rest of my posts on this subject; s

                • You obviously haven't read the rest of my posts on this subject; specifically the one where I address this using Amazon and Jeff Bezos as an example.
                  Your original post:
                  It looks like there is a root flaw in your logic implementation there jbacon. You are right about the special casing needs, but a simple redirection to a page explaining that they are using a non-standards compliant virus sink with links to getfirefox.com
                  Read in the context of the post you were replying strongly implies that you were reccomen

        • by pclminion (145572)

          Okay dude. Set down the crack pipe. We're not evangelizing here, we're trying to make money. When's the last time you got scolded while trying to buy something? You probably canceled your purchase and stormed out. Bet you didn't ever go back, did you?

  • What the world needs (Score:5, Interesting)

    by hey! (33014) on Sunday November 22, 2009 @12:04PM (#30193886) Homepage Journal

    is a definitive software engineering treatise on the history of IE security exploits.

    It is certainly true that there is a kind of economic network effect going here. For many years we saw so many web sites that only worked properly with IE because IE was so dominant. The same factor naturally attracts black hats looking for systems to exploit. Once we factor that out, what can we learn from how IE was conceived and maintained?

    Did clumsy code-reuse and maintenance play a significant role? That is did they stretch existing code to do things it hadn't been designed to do because it was close enough to pass the demo test on time? That's a decision we all face; we'd all *like* to rewrite things better when we take a look at them, but in the real world we've got to ship good enough code on a deadline to justify our salary. I think MS might be particularly vulnerable to the "killer demo" imperative. They are a business that is dependent on organizations choosing entire MS product stacks because they *anticipate* something they're going to need in the future will be dependent on something else in that stack.

    Did "business strategy" considerations confuse priorities for system requirements? E.g., The decision to make IE a fundamental part of the OS allowed MS to gain control of (destroy) the browser market while evading anti-trust regulation. Did that result in undesirable coupling of IE to the underlying system? Did the desire to leverage browser market dominance to give other MS products a competitive advantage create confusion in requirements or priorities?

    Were there cultural attitudes that made security and quality secondary? E.g. Did MS value having shiny new features soon before doing a quality implementation? Did their success at achieving effective control of the browser market cause them to under-invest in maintenance because they had no competition worth worrying about?

    These are the kinds of things I'd like to know. It's almost past the point where any individual security flaw in IE is interesting to me, because there have been so many and will be so many more. It's time for a really first rate summing up by somebody who knows what he's talking about.

    • Re: (Score:3, Interesting)

      by DoofusOfDeath (636671)

      is a definitive software engineering treatise on the history of IE security exploits.

      Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)

      • Yup. We definitely need a "Truth and Reconciliation Commission" for what Microsoft has done to us. Whether or not to prosecute them later is a political decision. ;)

        I was thinking more along the line of the Nuremberg Trials.

  • Which butthurt Google Chrome Frame developer found out about this?
  • Hypocrits! (Score:5, Insightful)

    by Anonymous Coward on Sunday November 22, 2009 @01:09PM (#30194494)

    So, isn't the responsible thing to do to notify Microsoft, and given them adequate time to produce a patch?

    By posting the exploit to a public list, this guy is basically handing the bad guys a weapon. That's criminal. But because it's a Microsoft product, the Slashdot folks just eat that up -- Hey, fuck'em, they're running Wind0ze!!!111

    • by Kingrames (858416)
      Welcome to 2009.
      Whether it is known by the public is irrelevant, it's already in the hands of crackers and terrorists.

      Once the people know about it, THEN it's possible for some good to come of it.
  • but all their code security auditors were working on the Chrome plugin :-p^

  • "According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

    Does this mean it's on a level playing field with old versions of IE? It does not always work properly, and can install unauthroized software on a victim's computer?

  • So 40% of market is IE6 and IE7, lets move em to IE8...print article on exploit...but this is not new, people know turning off JavaScript fixes it. Doesn't matter, print the article, we need the revenue... How convenient that they "did not know" if the exploit will work on IE8, of course it will, if it works at all, see last line. Come on already, this is so obviously FUD (especially in the FEAR department). And if their PC + OS will not run IE8, even better more revenue when they buy Windows 7 or Vista

Premature optimization is the root of all evil. -- D.E. Knuth

Working...