Forgot your password?
typodupeerror
Internet Explorer Microsoft Security The Internet

Microsoft To Ship Emergency IE Patch 187

Posted by kdawson
from the advanced-persistent-threat dept.
Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."
This discussion has been archived. No new comments can be posted.

Microsoft To Ship Emergency IE Patch

Comments Filter:
  • Enough is enough! (Score:5, Informative)

    by LostCluster (625375) * on Tuesday January 19, 2010 @04:29PM (#30824026)
    I'm uploading the IE6 No More [ie6nomore.com] code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.
    • by MrEricSir (398214) on Tuesday January 19, 2010 @04:43PM (#30824226) Homepage

      Why not just exploit their browser's security flaws and wipe their hard drive?

      That way they learn their lesson about safe browsing the old fashioned way.

      • by NotBorg (829820)

        Sorry, but I need them alive! Muhahahahahahahh! Nom Nom Nom Nom!

      • by H0p313ss (811249) on Tuesday January 19, 2010 @04:50PM (#30824296)

        Pro

        • Amusing
        • Might solve problem

        Cons

        • Illegal
        • Immoral

        Counter proposal: have you tried carpet bombing a small third world country today?

      • Re: (Score:2, Interesting)

        by Nerdfest (867930)
        Serious question here: does the Chrome frame for IE6 protect users from this attack? It would be interesting to know, as MS stated that it increased the security exposure (which is true in theory, but generally false in practice from what I've seen, as all attack surfaces are not created equal.)
      • If you got more free CPU power than all super-computers combined, you would just throw that away?

        I don’t think so... ^^

        I’d go straight to cracking every important security code on the planet. Federal reserve, CIA, every intelligence agency of every important country, every military lab, every weapons remote control (especially for nukes). And then I’d start making one single demand. One that would be impossible to undo, and would change the world forever.
        Meet it or you’re done.

        Pff, y

      • Why not just exploit their browser's security flaws and wipe their hard drive?

        That way they learn their lesson about safe browsing the old fashioned way.

        Because I like my asshole at it's current diameter, and I fear that blatantly violating the law could soon be followed by someone blatantly violating said asshole...

        What I do is go to every machine I am asked to look at and I add this reg key (with owners permission):
        _______________________________
        Windows Registry Editor Version 5.00

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe] "Debugger"="cmd.exe /c echo %time% %date% >> c:\\ExecBlock

    • Re: (Score:2, Troll)

      I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE.

      Five.

      It's missing Opera, which globally has more users than Chrome, for example, and wtfpwns both IE and Firefox combined market share in certain countries. In most European countries, Opera has more users than Safari and Chrome.

      While the concept is neat, the choices aren't, and they are both offensive and ignorant.

      • by PopeRatzo (965947) *

        Opera, which globally has more users than Chrome

        By "globally" do you mean "in your head"?

        According to marketshare.hitslink.com, as of December 2009 Safari had 2.4% of the browser market share. Chrome had 4.63%

        Over at gs.statcounter.com, as of January 10, 2010 Opera had 1.98% and Chrome had 5.88%.

    • Re: (Score:3, Interesting)

      I'm running similar code on my site, and yet many of the "visitors" are still using IE6. I suspect most of those are bots, because of the traffic pattern looking for Registration and Forum pieces.

      It is sad when you can spot a bot by the UserAgent.

    • by ArhcAngel (247594)

      Considering how many single purpose devices I work on that still use IBM/MS DOS 3.3 I suspect IE6 will be dominant until corporations are forced to migrate to Win7/8. Big companies are spending their money on things that make them MORE money. Upgrading to IE 7/8 is NOT free and since IE6 "works" in the eyes of the boss there is no "need" to upgrade. I'm not aware of an enterprise deployment feature for FireFox or Chrome. I believe Opera may have one but I don't think it is free. Since XP and IE6 for the maj

      • by stokessd (89903)

        That's a very good point. And all corporations will tell you that the only surfing you should be doing should be work related, so if you follow that rule, your chances of getting owned even on IE6 are pretty low.

        Now I'm posting to slashdot during work hours, and I'm not even an IT guy, so you can see how followed that policy is. At least I'm on firefox.

        Sheldon

        • by zonky (1153039)
          Rubbish. There exploits are commonly deployed via ad networks or 0wned legitimate sites. There is no such thing as a "safe" page and/or site.
    • Re: (Score:3, Informative)

      by GF678 (1453005)

      I'm uploading the IE6 No More code to my website now. There's a point where users of outdated software need to be told there's four major cost-free options, including a much updated version of IE if they want to stick with IE. I'm almost thinking we should move from a warning to a service-denying error if this goes much further.

      I'm sure corporate users who have IE6 forced upon them will appreciate it if they try to view your site.

      I'm sure your response would be "well they can bring it up with their IT depar

      • That is no longer a valid excuse. The cost of upgrading to apps that support a recent version of IE should be significantly less then the cost of cleaning up after IE6.

        Of course their not going to do it until it bites them in the ass over and over, which is why I am happy every time I see an IE6 user get exploited. I've spent the last year of my life re-writing applications to be browser neutral for my job, so at least some companies are getting it.

      • Tell that to YouTube.

        Thankfully, next-gen webapps are going to be the death of IE6 because in another year nothing is going to support it anymore. IE7 will die at a much faster pace.

    • by Ogive17 (691899)
      I've asked our local IT guy (contractor) if the company had any plans to upgrade from IE 6 and he said no. Our HQ is on the left coast and that's where the ISD dept. resides. There are probably a couple applications that won't work properly with any other browser and that's keeping us with 6. Around the country we probably have a couple thousand work stations.

      I don't know anyone else who uses IE and hasn't upgraded to IE8.
      • by Culture20 (968837)

        I don't know anyone else who uses IE and hasn't upgraded to IE8.

        I know several companies and some university departments. IE6 intranet applications are the dumbest thing in the world, but the "If it ain't broke don't fix it" mantra doesn't consider security when gauging levels of "broke", only whether the intended purpose still works, and that's a business decision, not Infosec/IT decision.

        • by Gilmoure (18428)

          Yup, my company has had to spend some cash on developers to upgrade various web apps that only work with IE6. We were warning them about this in 2007 but it took transitioning to Vista and IE7 to finally get them to cut loose with the $$$. Silly management.

        • Re: (Score:3, Informative)

          by Runaway1956 (1322357)

          "If it ain't broke don't fix it"

          Correct. And, it's time to make the decision makers understand that it's broken. If it isn't broken enough to convince them, then LET'S BREAK IT MORE!!

          Most of the rest of what I read here today is just so much whining and sniveling, from one side or the other.

      • We are looking to migrate to IE8 in the next 3 months actually. We are currently on IE7. All of our applications work in any browser now. The only main issue is testing that the IE8 push won't break any workstations.

        • by omb (759389)
          Browser independence, is what you should have done/insisted on in the first place, which would have resulted in push back on M$ non inter-operable crap.
      • If Google started saying "You can't search until you upgrade!" they'd get the clue rather quickly. Google has reason to kill off IE6... it was the weapon used to attack them in China. Your IT desk likely uses Google multiple times a day... so a Google outage would get attention rather quickly.

    • by RajivSLK (398494)

      No Save IE6! It keeps us employed!

      http://www.saveie6.com/ [saveie6.com]

    • I'm using IE6 right now, you insensitve clod.

      Why, you ask, is an Electrical Engineer -- one who reads /., has acted as a sys admin for two start-ups, uses Linux at home (and Puppy for the kids, that's right, my 6-year-old uses Linux) and has over 25 years of programming and networking experience)-- using IE6, a browser that MS itself has said, "oh god, please ditch it"?

      Because I'm at work and some of the legacy applications here require it.

      Have you got a solution? I'd love to hear it because I'd get a big f

      • What's the app and why does it insist on IE6? Can it be tested on one IE8 virtual machine? If the app vendor was still around they most likely would love to sell an upgrade...

      • How about you gauge the cost of a security breach that will eventually happen against the cost of not using legacy applications.

      • Using IE6 for that app, other browser for all the rest. Unless you're prohibited from running another browser; then having sites lock IE6 off can accelerate the transition, so they're helping you in the long run.

  • Quoth the TFA (Score:3, Informative)

    by McBeer (714119) on Tuesday January 19, 2010 @04:32PM (#30824078) Homepage

    targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser

    IE 6 hasn't been Microsoft's flagship browser for 4 years.

    • Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.
      • Re: (Score:2, Insightful)

        by igadget78 (1698420)

        Yep, and it's almost wrong to be asking Microsoft to patch something as old as IE6 or XP at this point. Maybe OS licenses should say "You may use this program for 5 years." instead of perpetually because you're a danger to other people's systems when you don't update to modern software.

        Maybe not, but when you work at a hospital in the IT department and your patient critical applications are still relying on IE6 because the vendor who wrote it sucks and can't figure out how to make it work with an updated browser, you appreciate that Microsoft, however insistant they are on dropping that old clunker of an app, is at least trying to resolve it.

        • by PopeRatzo (965947) *

          you work at a hospital in the IT department and your patient critical applications are still relying on IE6

          Do you mind sharing the name of the hospital so I can tell the ambulance driver where not to go the next time I choke on a cheesy poof?

          If they're using IE6 for "critical patient apps" there's probably a good chance that they'll try to cure my blocked windpipe by putting leeches on me or trepanning me or something.

          • by gmhowell (26755)

            While your point is made and understood, there are actually a few studies showing that both leeches and trepanning (or a modern day equivalent) have some valid therapeutic uses. No, I'm not going to bother with a cite as they're from some medical journals (dead tree, father is a traditionalist) which are at home.

      • Re: (Score:3, Informative)

        Because some companies have contracts with MS that have them on Win2k until (if I recall correctly) until the extended support is over which is this summer so MS can't really tell IE6 users to fuck off completely.

        I'm sure they could get out of the contract at an unnecessary cost. MS made this mess and unfortunately we're stuck with it for awhile longer. Hopefully once the extended support is over then companies will start dumping their old stuff and upgrading.

        In my opinion this shouldn't matter to mos
        • And I'm sure Microsoft is regretting those agreements now... they'd much rather sell 7 than support 2000.
      • I am using XP and I "almost" feel guilty after reading your post.

      • by omb (759389)
        It should RUN for 10 years on stable HARDWARE.

        Only a complete M$ dummy would pull that naive crap, there are SunOS 4 systems still running reliably in server rooms.

        I just despair at your credulousness and stupidity.
    • Re: (Score:3, Informative)

      by poetmatt (793785)

      it does, however, share the same vuln with IE7 and IE8. So maybe it's more appropriate as "microsoft's web browser" (irrespective of version) is at fault.

    • Re: (Score:2, Informative)

      by IshmaelDS (981095)
      True IE 6 hasn't but if you read the microsoft bulletin it also says that IE 7 and 8 share the vulnerability. http://www.microsoft.com/technet/security/advisory/979352.mspx [microsoft.com] "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows S
    • To be fair, IE6 can’t be defined as a browser for 4 years anyway. ;)

  • Countering attacks? (Score:4, Interesting)

    by jhol13 (1087781) on Tuesday January 19, 2010 @04:33PM (#30824100)

    Microsoft is not "countering the targeted attacks".

    Unless of course the German and France CERT teams recommendation to ditch IE is considered one.

  • by rehtonAesoohC (954490) on Tuesday January 19, 2010 @04:33PM (#30824104) Journal
    It uninstalls all versions of Internet Explorer and installs Firefox with Adblock pre-installed.

    Bravo Microsoft!
    • by NotBorg (829820)

      Typical Microsoft patch. It side steps the real issue: not having Noscript pre-installed too.

    • Re: (Score:3, Funny)

      It also sets the DNS to itself and caches anything you might have had saved in your browser history.

      That way, you still seemingly visit the same sites you always do, just they never get updated, and you are completely secure from everything on the net!

  • by jameskojiro (705701) on Tuesday January 19, 2010 @04:36PM (#30824132) Journal

    And that is running Windows Update and it isn't that good at doing that....

    • by meheler (193628) on Tuesday January 19, 2010 @04:46PM (#30824250)

      The sound of Windows update running is drilled into my mind forever.. Click.. click click click.. click. click.. click click click click click.
      My mind constantly asking "what the.. i haven't clicked a damned thing"

      • Re: (Score:3, Insightful)

        by Quantumstate (1295210)

        All I know is that three certain windows updates have been drilled into my Vista boot process for ever. Did someone really intentionally program an update process so that if it failed it would just try again?

      • Re: (Score:3, Interesting)

        by jameskojiro (705701)

        How many people on slashdot still run XP to avoid the bloat of Vista/7.

        Quite a few I would imagine....

        • Windows 7 is actually almost as fast as XP. That's really good accounting for the numerous improvements made to the OS in the intervening 9 years. Almost every new software release requires better hardware, including Gnome and KDE.

          • Re: (Score:3, Insightful)

            by uassholes (1179143)
            How is requiring faster hardware an improvement?
            • Read my post again. Improvements like better UI, better security, more features etc. etc. need faster hardware.

              • It depends on your definition of "better". If "better" UI is flashier, yes, it does.

                And security? Really? Why would you need faster hardware for that? Oh, and don't tell me "better encryption", even my P3 can handle that.

        • by jim_v2000 (818799)
          7 isn't particularly bloated.
        • And how many on slashdot are stuck with XP SP1 because SP2 causes too many problems? Of course, this means they're stuck with IE6 I believe (as opposed to upgrading to IE7 and IE8).

          But, I think the key lesson is here... why don't we have ActiveX controls and Active Scripting disabled by default? IE is so popular, it is targetted. When FireFox takes IE's place as leading web browser of the world, what do you think will happen? (Maybe not to the same extent as IE.)

          • Has been stated and rebutted literally millions of times, the problem with M$ crap is not that it is popular, it is that it is criminally defectively by design, and because of Backward Compatibility, and secret api's shared only with valued customers they absolutely can never fix it. Anyone tells you about OS secrets is selling snake oil.

            1. There are 3,500 Windoze api calls, POSIX < 200, Linux ~ 250, new functionality over 10 years,

            2. Windoze will execute any crap base on ".ext" so it will just execute "
    • Re: (Score:3, Informative)

      by QuantumRiff (120817)

      Shh, don't tell anyone...

      >wuauclt /detectnow

      Forces the update.exe agent to check.

    • I really enjoy that in Vista and 7, Windows Update is a standalone app. I don't have to fire up IE to grab updates.

    • You clearly haven't used IE in years, or you are just trolling. IE8 handles tabs much better than Chrome or Firefox, and unlike firefox IE is sandboxed (this exploit doesn't affect ie8 in win7), to get similar functionality in firefox you have to install noscript and individually handle every single new website you go to. The problem with IE isn't its compliance to standards or acid tests (no one cares except web developers) it is that its snail slow. The UI is atrocious but firefox really isn't any better

      • Re: (Score:3, Insightful)

        by hairyfeet (841228)

        And you, dear nightspirit, didn't read TFA [computerworld.com] did you? Here, let me highlight a relevant passage for you..."While the public exploit only targets Internet Explorer 6 without DEP, Vupen Security has confirmed code execution with Internet Explorer 8 and DEP enabled," the company said in an e-mail. "Enabling DEP will only protect users from current exploits."

        TL:DR? IE8 is totally pwned as well. They just haven't released the script into the wild yet. When they do any script kiddie can pwn ANY MSFT browser, from

        • Wow, big surprise, security company creates an exploit for money. That doesn't change the fact that the current 0 day doesn't affect IE8 on windows 7. Exploits are found and patched all the time in firefox, safari, and chrome. Hell in the Pwn2Own contests safari is always first to be cracked, Chrome currently has an unpatched critical vulnerability (secunia), and firefox actually has been doing quite well but still really requires noscript to be safe which cripples browsing the internet.

      • 1. Tabs are Tabs,

        2. You only need a sandbox if you have open wounds, IE6 or are Immune Compromised that ie: Windoze* IE*,

        3. You don't need NoScript,

        4. ACID is a database test, and has nothing to do with HTML compliance, your ass and ignorance is showing!

        5. We do care about HTML compliance and a commitment to inter-operate properly since it reduces complexity and simplifies testing, both of which cost a lot of money.

        Isn't it time you moved out of your mother's basement?
    • by Yvanhoe (564877)
      To be fair it is also a good firefox downloader.
    • But only in a frame, inside Firefox [mozilla.org]. (Just disable the cookie transfer feature. That’s a really stupid idea.)

    • by mstahl (701501)

      This is something I've never really understood. What is the rationale, if any, for making it so that the web browser updates the system? If you uninstall IE, can you still update your system?

  • by MikeRT (947531) on Tuesday January 19, 2010 @04:38PM (#30824150) Homepage
    Make it painfully clear [devirtuoso.com] to IE6 users what they're doing.

    My version [codemonkeyramblings.com], which is more educational for them.
  • by Bigbutt (65939) on Tuesday January 19, 2010 @04:49PM (#30824292) Homepage Journal

    Do you find yourself mysteriously waking up in a back alley more than once a week?

    Do you find empty HTML pages littering your desktop and you have no idea where they came from?

    Do you discover new directories on your computer?

    Get the IE Patch!

    It comes in 4 strengths so you can be gradually weaned from the habit.

    Week 1. IE 6 Patch. Internet cravings are pretty intense the first week so the IE 6 Patch is there to help you learn how to just say "NO".

    Week 2. IE 7 Patch. It's easier to avoid launching IE. You still need to check Amazon or e-Bay from time to time but the edge has been honed down a bit.

    Week 3. IE 8 Patch. You find it a lot easier to avoid clicking on the 'e' although you still lapse when you aren't thinking.

    Week 4. Firefox. You've mastered the addiction. You're free to browse the Internet worry free. Even looking at the 'e' makes you nauseous.

    Congratulations on taking the first step to breaking the IE addiction.

    [John]

  • I'm so glad I upgraded from XP to Windows 7; with multi-core optimisations and improved app performance, I'm compromised faster than ever before!
  • And what's going to happen to all those "IE only" web sites the government, public schools and other agencies like to use?

    • Also, what about all of us that can't use anything other than IE6 because that's the latest version that Windows98 supports?

      • by koan (80826)

        WHy are you using Windows 95? Get a linux variant. (did I miss the joke?)

    • by Culture20 (968837)

      And what's going to happen to all those "IE only" web sites the government, public schools and other agencies like to use?

      They'll still exist, but the error page might get changed to:
      "This page is IE only. Type '?browser=firefox' at the end of the URL to be automatically moved to the non-IE page. Safari users type '?browser=firefox' too. There are no other browsers *Jedi hand wave*."

    • If they were designed when IE6 was current... they're overdue to be rewritten. Another case of not budgeting for the geek jobs until they're broken.
  • "Emergency" reaction (Score:2, Informative)

    by burkmat (1016684)
    Wow, so that's... 4 days after full disclosure that they announce their response.

    "Could be here as soon as this weekend", which is still more than a week from the exploit being published. That's swell.
    Anyone else grateful MSFT doesn't run the fire department?
  • At least two governments officially stating to avoid IE, others in fear, every single web developer on the country hating you, Google getting hacked, and every security expert on the planet laughing at you?

    Wow. Just wow.

    May I extrapolate from that, what it would take, to get a real Bugzilla for IE and make it follow recent standards?
    My guess: Inter-dimensional time war with Lovecraft’s the old ones, lead by Cthulhu, fighting the Shrike and its army, armed with gamma ray bursts and black holes, using giant stars as ammunition.

    On the other hand: That would be awesome!

  • by L4t3r4lu5 (1216702) on Wednesday January 20, 2010 @07:14AM (#30830200)
    They look totally different to the popup-style messages on compromised websites saying "Your Anti Virus is out of date! Download our version!" or "You have been infected by Win32.BullRubbish.exe.foobar! Upgrade to New Anticrap UberVirusWare 2011!"

    You're training them to download stuff from the web, from sites they don't regularly visit / don't trust, because a popup told them to.

    Well done.

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Working...