Forgot your password?
typodupeerror
Internet Explorer Microsoft Security Upgrades IT

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable 279

Posted by CmdrTaco
from the oh-we'll-fix-it-eventually dept.
Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."
This discussion has been archived. No new comments can be posted.

Microsoft Says Upgrade To IE8, Even Though It's Vulnerable

Comments Filter:
  • by vistapwns (1103935) on Monday January 18, 2010 @10:37AM (#30807726)
    Because DEP is enabled by default in IE8, unlike IE6 and IE7. The exploit can not work against IE8. Also, IE in modern versions of Windows is sandboxed, unlike Firefox. Sorry to rain on the parade...
    • Re: (Score:3, Interesting)

      by FlyingBishop (1293238)

      But even at Google they apparently have some stuff that requires them to disable it. You can bet a lot of the shops that can't ditch IE will have to disable DEP for backwards compatibility with the crappy apps that are the only reason they don't switch to something better anyway.

      • Re: (Score:3, Informative)

        by vistapwns (1103935)
        And how are other browsers better in that case? If they have to disable DEP on firefox, it's even worse than IE because it's not sandboxed. Anyways, the articles I've been reading say Google was exploited thru IE6 that they have on XP systems.
        • Re: (Score:3, Interesting)

          And how are other browsers better in that case?
          This whole problem is based on fact that MS is not willing/able to fix this issue for quite long time (days?). Other browsers are different in a way that they are fixing security issues ASAP.
          • Re: (Score:3, Insightful)

            by vistapwns (1103935)
            IE is used by corporations, and corporations do not want patches for patches for hotfixes and all that jazz, they expect the patch to be tested and corporations are the ones who wanted a monthly release for patches so the IT staff are not patching and testing patches all month long.
            • by should_be_linear (779431) on Monday January 18, 2010 @11:09AM (#30808080)
              OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?
              • OK, so Microsoft is opting for backwards compatibility, other browsers for security. And your original question was: And how are other browsers better in that case?

                One could argue that, in the corporate IT world, Microsoft's known patch schedule is more desirable than random updates from Mozilla appearing whenever they're finished.

              • by Ralish (775196) <ralish@gma[ ]com ['il.' in gap]> on Monday January 18, 2010 @12:24PM (#30808890)

                They are aiming for both backwards compatibility and security, but above all, they are aiming to put out a fix that isn't broke. I'm honestly not trying to be the Microsoft apologist here, but the complexity of putting out a patch for IE is a lot more complex than you might first think, even compared to other browsers. Here's why:

                Using Firefox as an example, when Mozilla finds a security flaw in Firefox, they simply release a new point release of all supported versions of Firefox (currently 3.0 and 3.5) that contains the fix, as well as all previous fixes, and usually several other security/stability fixes bundled into that particular point release. So, this means a release across two product versions, which can be expanded to releasing on the architectures supported for those particular versions as well as supported platforms. The source code change probably isn't architecture or platform specific (wrong?) so can thus be inserted into the correct maintenance trees in the source repository and the binaries/sources made available.

                Using Microsoft as an example, when Microsoft finds a security flaw in Internet Explorer, they need to patch every supported version of IE on every supported version of Windows down to specific IE patch level possibly also impacted by Windows patch level. For a security flaw like this that affects IE6 through IE8, that means patches for every version of Windows from 2000 to 7, for every architecture (x86, x86_64, ia64), for numerous patch levels. For example, in many versions of Windows two separate patch levels of IE might be simultaneously supported (e.g. IE6 SP1 on Windows 2000 and IE6 SP2(SP3?) on XP). Keep in mind that the binaries for the same exact patch level of IE on two different versions of Windows on the same architecture are highly unlikely to be the same (e.g. IE7 on XP will not be the same as IE7 on Vista, nor will the patch binaries be the same, and OS SP level may also make a difference). Versions of Internet Explorer on Windows CE/Mobile might also be impacted resulting in further patch complexity. Oh, and x64 versions of Windows (and ia64?) have both the 32-bit and 64-bit versions installed side-by-side, due to issues with plug-in compatibility (you can't load 32-bit code into a 64-bit application). So, you'll need to patch both versions on 64-bit platforms, and once again, the 32-bit binaries for 64-bit systems are unlikely to be identical to the 32-bit binaries for 32-bit systems. In summary, we are talking a huge number of binary patches that all need to be thoroughly tested, passed through regression suites, and so forth, because if even one of these patches breaks something, odds are, you'll have a lot of pissed off users.

                That being said, this is largely Microsoft's fault. By integrating the browser so closely to the OS, they've managed to create this complexity. A clean(er) separation of web browser from OS internals would, while not making things simple, would surely reduce the current clusterfuck. Doing so would bring you much closer to the model that most (every?) other web browser uses, and should drastically reduce the amount of testing that would need to be done. For now, this isn't the case, and the present reality is that patching every version of IE since 2001 is a very messy business.

          • by plague3106 (71849) on Monday January 18, 2010 @11:04AM (#30808022)

            A security fix which breaks other required functionality isn't much better though is it? A patch rushed out the door without much testing isn't a patch I necessarly want to install.

            • A security fix which breaks other required functionality isn't much better though is it?

              Joe Sixpack might be upset, but yes, it is _much_ better then leaving your computer vulnerable.
        • by xeoron (639412)
          The only solution from a security and user standpoint is to sandbox all programs you think need it. I suggest using the Windows program Sandboxie, [sandboxie.com] unless someone can offer a better method that is OSS for the MS Win platform.
      • Re: (Score:3, Insightful)

        by dunezone (899268)
        And thats Microsofts fault how?

        Microsoft provides the ability to be up to date and secure as well as backwards compatibility, its the users risk for which he chooses not Microsofts.
    • by UnknowingFool (672806) on Monday January 18, 2010 @10:45AM (#30807804)
      If it has the flaw, then it's not immune but it's less vulnerable. If DEP is disabled (which may be required to get some apps to work), then IE8 can become exploited too.
      • by lseltzer (311306)

        If the user is on Vista or Win7 they'll have to disable protected mode as well in order for the exploit to be able to do anything meaningful.

        So if a user running IE6 on XP, who doesn't enable DEP gets exploited, who is really to blame? This is an ancient configuration and Microsoft has, for a long time, provided products and technologies to address the problems in it.

      • It has been since it debuted in an XP service pack.

        So if you "disable" DEP to make some apps work, it still isn't disabled for IE8, because IE8 opts-in for it.

    • by KnownIssues (1612961) on Monday January 18, 2010 @10:50AM (#30807858)
      Then why would Microsoft state that IE8 is vulnerable to this flaw? They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.
      • They don't seem to be known for exaggerating the vulnerability of their software. I'm sure I'm missing something here, I'm just sincerely not seeing why Microsoft would claim it would affect IE8 if they could make the opposite claim with any accuracy.

        Actually, Microsoft has a policy of not taking protected mode, low integrity processes, DEP/NX, ASLR and other memory corruption protection mechanisms into consideration when assigning severity levels or reporting bugs.

        This means that MS reports the bug as being in IE8, but the several layers of extra protection in both IE8 and Vista/7 may very well neuter it completely.

    • by Penguinisto (415985) on Monday January 18, 2010 @11:03AM (#30808016) Journal

      True, DEP is enabled by default on the Win 7 / IE8 combo. OTOH, neither will run (very well, anyway) a horde of old enterprise services and suites that still linger about the industry, compatibility modes be damned.

      There are fixes and workarounds, but they can get rather expensive (and usually involve an XP Mode server of sorts, or Terminal Services seat licenses, etc).

      Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.

      • Long story short, there's either gonna be a lot of code that will get re-written, or a lot of businesses that will hang on to IE6 until then.

        That's not either/or, that's and. There will be a lot of code rewritten, AND a lot of business hanging on to IE6 until then, AND a lot of them getting exploited in the mean time. I wonder if it's cheaper to upgrade your internal applications so that they'll work with every browser for the next 10 years, or clean up a company-wide infection (and then rewrite the code anyway).

    • Shhhh. Quite... We want to live in a world were every Microsoft bug will remain unfix and slowly become so problematic that we can life fat dumb and happy with the alternatives.

    • by jim_v2000 (818799)
      Browser security is great in theory, but the last two infections I cleaned up at work were from people downloading Flash_Update.exe and running it so they could watch some video from "Santa" that they got in their email.
      • by jim_v2000 (818799)
        That said, I'm lobbying my boss to make all of our users "users". Some of them bitched about not being able to install things awhile back, so they were given administrator rights. That turned out well.
    • Re: (Score:3, Informative)

      by Pharmboy (216950)

      Yea, after reading the article (some of us do) I found that this summary is a piss poor one, more aimed at bashing MS than giving the real facts. We don't need to make up imaginary reasons to hate MS, they already provide plenty of real reasons.

  • ...or Death

    Security theater to keep people on their, similarly defective, latest product is the best thing MS could do for now, it seems. I'm waiting for comment from Bruce Schneier...

  • by webdog314 (960286) on Monday January 18, 2010 @10:42AM (#30807776)

    Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

    Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

    • by Anonymous Coward on Monday January 18, 2010 @11:51AM (#30808534)

      Software Engineer: "It's a complete mess... The vulnerability is present in IE6, 7, and 8 and it won't be an easy fix."

      Marketing Shill: "Excellent! Now they've no reason not to upgrade to IE8. Get out a Security Advisory at once!"

      Software Engineer: "Oddly enough, that makes good technical sense. Upgrading may not solve this particular problem, but it will eliminate many other vulnerabilities, as well as add sandboxing, thereby increasing security of the browser."

  • by TheNetAvenger (624455) on Monday January 18, 2010 @10:46AM (#30807818)

    Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

    Sure it may be able to crash the browser, or maybe screw with a favorite, but it can't access user files and especially can't do anything to the OS even if the exploit works.

    So saying it is a 'problem' on Vista or Win7 is stretching the truth.

    • by Sycraft-fu (314770) on Monday January 18, 2010 @10:59AM (#30807972)

      Also if you leave UAC on, it will be running as a normal user, not as an administrator. So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

      By default, IE8 on 7 is pretty secure.

      • Re: (Score:3, Insightful)

        by duguk (589689)

        So if it broke out of the secure mode sandbox, it would still be limited to user data, no system access.

        By default, IE8 on 7 is pretty secure.

        So it's ok if a buggy webpage can wipe out My Documents, so long as it doesn't break my system?

        I'm not sure many users would agree with you there.

      • by pyrbrand (939860) on Monday January 18, 2010 @01:47PM (#30810054)
        Actually, on Vista and Win7, IE runs even lower privileged than normal user. It has no messaging access to any process not in limited mode, and no write access to any files not in the user's "local low" directory.
    • by Penguinisto (415985) on Monday January 18, 2010 @11:08AM (#30808074) Journal

      Even if the exploit is successful on IE8 on Vista or Win7, the reduced security mode that it runs in will prevent it from actually doing anything.

      ...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.

      Microsoft has come a long way in securing their OS, but they still have a long way to go before claiming that their product is as secure as, say, FreeBSD or OSX.

      • by jim_v2000 (818799)
        >This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror. I'm sure they've never heard of that before.
      • Re: (Score:3, Informative)

        ...this time. It's the same excuse folks (wrongly) use to claim that *nix-based machinery is 100% invulnerable - true to an extent, but not perfectly so, on any OS. The problem is a little something called privilege escalation. This will likely be the next big thing that the folks at Microsoft will begin to discover, much to their horror.

        The folks who write IE (as well as other MS developers) are very well aware of the nature privilege escalation vulnerabilities. This [amazon.com] is effectively the required read around here, and, while rather high-level, it does give a good overview of these kinds of attacks.

        Regardless, more security layers are always better, especially when you can't guarantee the code to be absolutely, definitely 100% secure. Things like sandbox, DEP, ASLR etc are absolutely not a replacement for writing proper code, security review

  • well done Google (Score:2, Interesting)

    by vacarul (1624873)
    Looking back at the whole story it seems that Google planed this in advance. They got hacked for real... but then someone had an idea: this an IE exploit so lets benefit from this. Let's show everyone how bad IE really is. So they posted on their blog saying that they will get out of China because of this attack (very dramatic so everybody heard about it) but I suspect that they have no intention to do that. I think they used their blog just to let people know: "we are Google, we know stuff about security b
    • by ElSupreme (1217088) on Monday January 18, 2010 @10:54AM (#30807904)
      Yeah use our cool browser that reports almost all of you browsing back to us. We won't be evil, we promise!
  • by Random BedHead Ed (602081) on Monday January 18, 2010 @11:26AM (#30808262) Homepage Journal

    The right time to stop using IE6 is not with this new exploit. It's circa 2003. I find all this perplexing because from what I hear, the people who keep thrusting IE6 on people like a poisoned dagger are IT departments, but aren't IT departments supposed to be staffed by, you know, techies? The kind of people who go to nerdy sites like /. and should know IE6 sucks rat balls?

    I understand that other browsers like Firefox might have been hard to push out and manage back when the world first discovered that browsing can improve as long as you avoid Microsoft, but what about IE7? That came out over two years ago and it definitely sucks slightly less. Can we revoke Geek status from IT staff that are still pushing IE6? Ban them from this site? Cut off their Internets until they appologize?

    (Special consideration would of course be extended to those techies who were unjustly forbidden from upgrading IE in their infrastructure because of web apps that only worked on IE6; the web app developers should have their Geek status revoked instead.)

    • by robogun (466062) on Monday January 18, 2010 @11:42AM (#30808442)

      So I was doing an install of ATT DSL a few months ago. You don't just plug it in, you have to authenticate.

      Only IE works with their server, and the install disc includes IE6 in case you don't have it.

      • by rrohbeck (944847)

        You can install it without their crap CD, but it's a PITA because there's zero documentation and you have to discover everything for yourself, if you run Linux for example. But all you need is any browser.
        The same applies to the majority of home networking gear out there.

    • > ...the web app developers should have their Geek status revoked...

      Most Web developers don't qualify for geek status.

  • I haven't used IE in any form for 5 years. Any web page that I can't see in Firefox doesn't want my business. The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.
    • Re: (Score:2, Insightful)

      by ScytheBlade1 (772156)
      >The only way to start IE on my computer is to run the .exe file since there are no shortcuts or icons anywhere.

      I'd disagree. Open up "My Computer" and type in "http://www.google.com/" into the address bar.

      Enjoy your IE.
      • Re: (Score:3, Informative)

        by amicusNYCL (1538833)

        Maybe if you're going to use a different browser, also set it as a default. When I type a URL into Windows Explorer it correctly opens the URL in my default browser, which is not IE.

    • by BasharTeg (71923)

      Yeah, because Firefox's exploit stats aren't worse than any other modern browser right? Maybe you need to do a little research.

  • by haruchai (17472) on Monday January 18, 2010 @11:33AM (#30808336)

    It seems that all exploits that I've read about over the last decade all boil down to the same flaws - buffer overflows, invalid pointers, format strings, etc.
    Yet, developers persist in using the same old programming languages & libraries that are rife with weaknesses.
    Why haven't they changed to something better? From what I can see, better tools have been available for a long time and, quite frankly,
    the old "we've always done things this way and it would be too expensive to change" is real crap.
    What about the cost of NOT changing? Is that irrelevant because the cost ( and consequences ) are the burden of the end-user, not the vendor?

    Isn't it past time that things changed?

    • by gr8_phk (621180)

      Why haven't they changed to something better? From what I can see, better tools have been available for a long time

      I was wondering that too. Microsoft says C# and .net will alleviate these types of problems with "managed code" in your wares, but apparently they don't feel the need to use it for their own products.

    • by rrohbeck (944847)

      Developers who know what they're doing had it drummed into their heads that they need to watch memory allocation, array boundaries, null pointers, unsafe library functions and the like.
      The problem is if you hire hordes of less qualified programmers and let them loose on a project that requires low level programming.
      Unfortunately, anything using C or C++ amounts to low level programming.

      • by haruchai (17472)

        Right - so we're coming down to relying on (expensive) greybeards but most of the work is being done by whippersnappers who can spin out code but aren't obeying best practices with powerful but unsafe tools.

        Perhaps a secure coding certification is mandatory?
        I know this will be an unpopular idea and that some terrific code has been crafted by amateurs but something has to be done.
        How about free code analysis for FOSS apps?

  • Really? Impossible! I fully expected them to say it would be better to use Firefox or Opera.

    Seriously. What did you expect? Be honest.

  • In many ways if you are going to stick to using Internet Explorer, then it might as well be the latest one. If there is a flaw that affects IE8 less than the other two, then it is still the lesser risk. Even if it doesn't and is still major, then Microsoft will most probably concentrate on providing a security fix for IE8, and not the others. Heck, beyond hyper-conservative company policy (aka "let's stick with 10 year old software, no matter what"), there is very little reason not to upgrade and plenty of

  • Pentagon thinking (Score:3, Insightful)

    by Angst Badger (8636) on Monday January 18, 2010 @11:50AM (#30808526)

    Are there a lot of ex-Pentagon bureaucrats at Microsoft? Both seem to have an incredibly self-destructive habit of doing anything but owning up to the problems they create, apparently oblivious to the fact that it's a lot better for all involved if they were to just say, "Hey, we fucked up, and we're going to fix it," and then fixing it. It's not like the competing browsers haven't had plenty of security holes, but the difference with -- to pick the one I'm most familiar with -- Firefox is that when a vulnerability is discovered, my first awareness of it is generally a new welcome screen in the morning announcing the fix. With IE, it's listening to users and admins bitch about unresolved issues in browsers that have been in the field for for years.

    Oh well, it could be worse. At least aerial defoliants and depleted uranium munitions are not among Microsoft's current offerings.

  • by benjymouse (756774) on Monday January 18, 2010 @12:06PM (#30808656)

    Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7.

    That is a misrepresentation, at best.

    The knowledge-base article: http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx [technet.com]

    It states pretty clearly that IE7 *may* be vulnerable to this attack. But it also states that IE8 - on all recent platforms (XPSP3, Vista, 7) - contains the bug but due to DEP (and protected mode on Vista/7) it is not exploitable. That seems to be a pretty good reason to upgrade.

  • IE5 rules supreme (Score:4, Informative)

    by edxwelch (600979) on Monday January 18, 2010 @12:16PM (#30808770)

    Actually, IE5 is the only version not effected. You should be downgrading not upgrading.

    http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/ [theregister.co.uk]

    "But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection."

  • by cervo (626632) on Monday January 18, 2010 @01:54PM (#30810134) Journal
    The place I work is still running IE 6. About 6 months ago they did a big effort to upgrade to IE 7, tested all their apps, and then decided that they weren't ready. There is currently no time table to upgrade to IE7 let alone 8.

    A company I interned at had IE 4.0 for the longest time, even after 5 came out, and the latest versions of netscape....

    I think what our friends at Microsoft don't realize is that big companies (especially big regulated companies) are really slow to move on things. Upgrade to IE 8 is not really a valid answer. A large regulated company will spend months testing, and in many cases it will take years to go upgrade. Now if IE didn't encourage people to violate web standards, then it wouldn't be that bad. But unfortunately it does and people do. So fixing things to work with IE7 or even IE8 after IE 6 is a pretty big deal.

    So good luck with that. I know my company is going to be running IE 6 for at least another year, maybe more. They have to go slow because it is a financial company and they are subject to all sorts of SOX controls and regulations. Also upgrading browsers does not immediately generate revenue so it is not a high priority. They don't even use the right resources for testing so it drags out much longer than it should....

    I worked at a Microsoft Fanboy company but even then it took a good 6 months to test all the apps with IE 7 and there the roll out wasn't company wide, just that division. There was also a project in Parallel to fix the issues and move all development projects to Visual Studio 2005. They properly staffed based on what they had, and it still took 6 months. And they were Microsoft Fanboys. I mean SQL SErver 2005 comes out, they need to upgrade within a year. SQL Server 2008 comes out, they put on a project to upgrade within a year. Windows Vista comes out, they need to upgrade.... And even there 6 months time is a lot of time to be exposed to a vulnerability. And they are the exception not the rule.

    For many companies a security issue or browser upgrade does not generate revenue and is super low priority....

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...