Forgot your password?
typodupeerror
Internet Explorer Security

New IE Zero Day 305

Posted by CmdrTaco
from the well-that's-not-good dept.
RebootKid writes "Microsoft has released a notice about a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"
This discussion has been archived. No new comments can be posted.

New IE Zero Day

Comments Filter:
  • by Anonymous Coward

    Merry Xmas

  • by Delusion_ (56114) on Thursday December 23, 2010 @01:57PM (#34653252) Homepage

    If you felt the story was newsworthy, I have no doubt that it was submitted in a form that was better than this one, or that you could have re-wrote it.

    • But it makes fun of Microsoft... Isn't that all we need. If there is a bug in Microsoft we celebrate.

    • by aliquis (678370)

      It was submitted in a better form, and I gave that one + and this one -.

      Bad:
      http://slashdot.org/submission/1426606/MS-warns-over-zero-day-IE-bug [slashdot.org]

      This one:
      http://slashdot.org/submission/1426648/New-IE-Zero-Day [slashdot.org]

      The other one:
      Can't be found, probably because it was submitted later? Or something, was better though, dunno why they have removed it from firehose? Same URL and this one got submitted = fail?

    • Re: (Score:3, Informative)

      I don't see anything wrong with the summary. It inserted some comic relief & levity, but still got the message across. Just as that comedian does on Comedy Central's daily news show.

    • by steveo777 (183629)

      Great. Now I need to buy a digital cliche meter. This summery of this story nearly caused my mercury cliche meter to burst.

    • Typical of the author

    • The lack of editing really makes it look like Taco and CO. have really given up on the site, as long as it's still making their bank accounts larger.
  • by Anonymous Coward

    or at least it's not on the list.

    • by AndGodSed (968378)

      That's what tickled me. If you believe the hype, every new version of IE is just that, new. Why then does is exploit like this for "all versions of Internet Explorer" except, as you pointed out, IE9?

      If there is a really good (technical) reason for this, I'd like to hear it, because it kinda intrigues me that this is possible... kinda like the sharing vulnerability that Win98 had, XP did not have, and then Vista, Win7 and Server 2008 had.

      • That's what tickled me. If you believe the hype, every new version of IE is just that, new.

        Can you give examples of said hype? I think it's pretty well known that IE engine did not have a grounds up rewrite for a long time now. Nor was it ever claimed or hinted otherwise by MS.

  • Misleading report (Score:1, Informative)

    by Anonymous Coward

    Microsoft is not being entirely straightforward in their report. This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)

    • Re: (Score:3, Interesting)

      by Artefacto (1207766)

      This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)

      Referece? The CVE description says:

      Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted do

  • Just don't put this on the Christmas Elves or Elf Bowling sites.... Let's see, risk factors:

    * Tech-clueless relative just got their first computer for Christmas. "Chooses" I.E. as browser. Drawn in by Elf Bowling. There's a virus on your computer, click here!

    Oh, man....

    And related to what an earlier poster said, why is it that we need to use Internet Explorer in order to update our Windows boxes? I still find that a little bit anti-trust.

    To borrow from 2001: My God--it's full of holes!

    • You need Internet Explorer to update your OS if you happen to be running XP and older. Vista and newer have a seperate client app for updating the OS. Don't expect this to change anytime soon because XP is long past its expiration date.
  • Is it a slow news day? ;)

    Next you are going to say there are some unpatched vulnerabilities in IE.

  • by hAckz0r (989977) on Thursday December 23, 2010 @02:22PM (#34653456)
    Microsoft blundered again. No big supprise. They left off the /DYNAMICBASE randomization switch when compiling mscorie.dll. Dumb, Oversight, or is it on purpose? (-1 score)

    Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?

    What security features can you add with EMET?

    Dynamic Data Execution Prevention (DEP)
    Structure Exception Handler Overwrite Protection (SEHOP)
    Heap Spray Allocation
    Null Page Allocation
    Export Address Table Access Filtering
    Mandatory Address Space Layout Randomization (ASLR)

    Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?

    The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
    http://tinyurl.com/28znulg [tinyurl.com]

    • by phantomcircuit (938963) on Thursday December 23, 2010 @02:59PM (#34653770) Homepage

      DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.

      • I can attest to that (Score:4, Interesting)

        by Sycraft-fu (314770) on Thursday December 23, 2010 @03:36PM (#34654116)

        When I went to a 64-bit OS I decided I'd force DEP on. Windows actually has 4 DEP modes: always off, always on, opt in, opt out. It just only shows the opt in and opt out choices in the GUI. So I turned it on. After all, this was some time since DEP had come about, figured things would be fine.

        Wrong answer. Tons of apps bombed on DEP errors. Seems lots of apps like to execute from memory they forgot to mark for code. I tried the opt out mode for a bit, figuring that I'd just add the apps that were problems, but it got to be too much since you have to do it by hand (there isn't an "add exception" button in the error or anything), some apps had multiple sub apps that had to be added, and of course it isn't like apps would always just fail to execute, sometimes they'd run fine until you were in them and working, then bomb (audio apps with plugins were notorious for this).

        So now my computer is in the default op in state, meaning only apps that ask for DEP get it. Not as secure, but such is life. Good news is as far as I can tell all my apps that run at any privilege above user DO use DEP so that's nice.

        • by hAckz0r (989977)

          there isn't an "add exception" button in the error or anything

          I think you just hit on the most major feature that MS left out. What is needed is a balance of usability and enforcement. One needs enough enforcement so that the developer will hear about the issues and have the incentive to correct them, but not so much that the user is prevented from getting the application to work properly. Wouldn't it be great if MS used a click through message to both correct the problem and to also notify the developer?

      • by hAckz0r (989977)

        DEP and ASLR both cause problems with lots of poorly written software

        Exactly! When MS came out with NT, and protected mode Win32, a lot of programmers had to straighten up and fly by MS's new rules, and things improved greatly. They are still bad, but much improved. The problem is MS is not trying to get them to fix their own problems and therefore MS suffers an image problem that needn't be. If MS said, "this is the way things are, you have X months to make it work under the new rules" then the third pa

    • These things it very difficult to reproduce the defects. Of course so many of the defects are caused by stupid things like uninitialized memory access, freeing freed memory and such dumb mistakes. And these tools would help you find such bugs quicker and make a more reliable product. But the developers have a strong aversion to tools that break things. The attitude is, "yes, yes, it is really stupid to have used variable xxx without initializing it, but the code does not crash and I install this tool and it
      • by hAckz0r (989977)
        I understand that mentality completely! About 20 (?) yrs ago I was working for a company using Windows 3.xx and they had big problems with software bugs trashing customer databases. I asked why they didn't run with NT, or at least with the protected mode turned on, and their reply was it broke too many things. Well, Duh! There are bug in there that you won't find unless you do.

        I came in one weekend and turned it on on my workstation and debugged everything I knew how to run (I was the new kid on the bloc

      • by lennier (44736)

        If the code path is randomized in anyway these developers get all flustered. None of them would invest in writing sanity check and audit methods.

        How did the software industry get to the point where it's legal to not have sanity checks in today's hostile Internet environment? If the building industry had a similar standard of construction, millions of people would be dead and there would be lynchings.

        I presume the answer has something to do with the secrecy of proprietary software development and that it's impractical to enforce any kind of standards compliance, especially when many software 'standards' only exist as bugs-and-all implementations? But

    • While it's unfortunate that the exploit writer could find something that isn't ASLR'd and use it as a jumping off point, it's not really the flaw here. The flaw itself is in MSHTM that allowed access to mscorie.dll.

      DEP is a great tool, but it can't be used for everything. Same with ASLR.

  • more outline and summary of the article, its content, affected users and payload. bonus points for countermeasures to employ.
    less goofy references to your fucking holidays.

    sincerely,
    the overworked windows administrator trying to use slashdot for an intended purpose.
  • Botnets! Worldwide botnets!
    What kind of boxes are on on botnets?

    Compaq, HP, Dell and Sony, true!
    Gateway, Packard Bell, maybe even Asus, too.

    Are boxes! Found on botnets!
    All running Windows. FOO!

    Why, yes! Yes I Am a smug, OS X using bastard!
    How kind of you to notice!

  • Please remember that this happens to all browsers, Firefox [theregister.co.uk], Safari [computerworld.com], Chrome [zdnet.com] and Opera [softpedia.com] have all had zero days.

    It is also important to take note that IE is the second most secure browser after chrome, as it is the only one to make full use of WIC(Windows Integrity Controls), although does not have the sandboxing that Chrome has.

    • Umm.. ok. If you mean "sandboxing as chrome has" rather than "sandboxing, as chrom has". IE has protected mode, which is a form of sandboxing. Not the same as chrome, but they both have sandboxing. Chrome doesn't do what IE does either.

      • by metrix007 (200091)
        Incorrect. IE and chrome make use of WIC, but they do not have an actual sandbox like chrome has.
    • A few things of note here.

      1) If there is a Zero Day for those other browsers, one can usually switch to another browser because I use all four. Average mom and dad users, may not be possible.

      2) Because IE is tied so closely to the OS called Windows, it is much easier to exploit, because it requires less guessing of the OS. And with IE 9, it requires no guessing. That, by itself makes the exploit that much more difficult to block.

      3) When Firefox or Chrome get zero days, the time for the fix is usually a day

      • by metrix007 (200091)
        1. The guessing argument is irrelevant.

        2. IE Makes use of WIC, and is quite a bit more secure than FF or Opera because of it

        3. Microsoft issues critical patches out of cycle, so that also isn't an issue.

Facts are stubborn, but statistics are more pliable.

Working...