Critical Internet Explorer 11 Vulnerability Identified After Hacking Team Breach

An anonymous reader writes: After analyzing the leaked data from last week's attack on Hacking Team, Vectra researchers discovered a previously unknown high severity vulnerability in Internet Explorer 11, which impacts the browser on both Windows 7 and Windows 8.1. The vulnerability is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, it can allow an attacker to bypass protections found in standard memory. Microsoft has published a patch for this vulnerability, and also patched another one pulled from the Hacking Team files by different security researchers.

Re:

[Anonymous Coward]

If anything these leaks will remind us to continously rethink our security configurations. It needs to be on a neurotic level and even then it's probably not enough. Everything needs to be isolated and access has to be as limited as possible to data that's not explicitly needed for whatever task at hand. We need to always assume our systems are vulnerable and possibly even compromised without our knowledge.

Or wait, my boss just told me we don't have the budget for it. Never mind.

Re:

[thsths]

Defence in the depth is the only option we have - relying on a single piece of software to be "secure" is obviously more than optimistic.

But even defence in depth fails if the government throws enough money at a hacking company. They will just buy the exploits and string them together to take over the flash player, escape the sandbox, escalate privileges, and then jump across the network. Defence in depth makes this a tedious, expensive and uncertain exercise, but by no means impossible.

Re: Critical IE vuln

[Anonymous Coward]

Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

Re:

[packrat0x]

Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

W3M [sourceforge.net]

Re:

[packrat0x]

Show me again which internet browser is perfect and never has any vulnerabilities because I can't seem to remember?

W3M [sourceforge.net]

Oh wait, there were 5 total W3M vulnerabilities [cvedetails.com]

Re:

[ITRambo]

There is no perfect browser. I prefer to use one that is the very responsive to security issues. Flash patches in Chrome are released within a day or so with Chrome automatically updating. IE11 is not automatically updated rapidly. I no longer think of MS "automatic updates" for IE as being automatic as MS still has to reboot Windows to patch many IE holes. So, they can go weeks without being fixed. IE is horrible. Chrome updates without you even knowing it as long as your computer is on and online. I hope

Programmers and Custom Code

[Anonymous Coward]

It's intensely annoying that programmers continue to re-invent the wheel and poorly whenever they need something which they're certain that nobody but their clever selves has ever thought of before. Would it kill them to use a data structure from the standard library of the language they're using? But no, they're too cool and smart for that. They have to code it up custom and then introduce dozens of silly bugs because they're too lazy to write tests and their code is perfect anyway, or so they think, and t

Re:

[Anonymous Coward]

This is very much true. It's important to distinguish clever standard-conforming solutions from custom solutions. The biggest mistake many seemingly clever devs do is to break well established standards while trying out new approaches.

Re: Programmers and Custom Code

[Anonymous Coward]

Huh. My programming goes to 11X.

Re:

[GrumpySteen]

My programming is usually just XXX.

For IE users ..

[invictusvoyd]

Do not look at the laser with the remaining eye

Thank you to whoever hacked Hacking Team

[jonwil]

Thank you to whoever hacked Hacking Team. Because of your work leaking the big data dump, a number of fairly nasty security holes in commonly used computer software such as Flash and Internet Explorer have now been patched by their manufacturers.

Companies (or government agencies) who discover/collect/buy/obtain unpatched vulnerabilities in software and sit on them so they can use them for spying purposes are no better than criminal gangs who discover/collect/buy/obtain unpatched vulnerabilities and sit on them so they can use them for building malware.

IMO There is NEVER a valid reason for ANY entity to hold onto an unpatched vulnerability and exploit it, not even the arguments of "National Security" and "we need this to stop terrorists" that have been used by the NSA and other agencies to justify this practice.

Re:

[thsths]

> IMO There is NEVER a valid reason for ANY entity to hold onto an unpatched vulnerability

How about profit? Maybe even legal profit, and certainly lots of it?

Re:

[Anonymous Coward]

I don't want to live on this planet anymore.

Re:

[drinkypoo]

Similarly, there is NEVER a valid reason for ANY entity to hold onto research findings nor trade secrets nor military secrets.

Wow, I'm surprised to see such insight from you. See, when people do that, it's because they're trying to hold back the human race.

Re:

[rvw]

Isn't it time to sue HT, and make it illegal to keep these vulnerabilities to yourself? I can imagine the EU passing a law like this. If that means HT moves to Russia or Panama, let them!

Re:

[fustakrakich]

Companies (or government agencies) who discover/collect/buy/obtain unpatched vulnerabilities in software and sit on them...

When a government acts badly, the citizens have an obligation to correct it. When they don't, they are complicit.

Re:

[Billly Gates]

Yep I can do a .msi, push gpos, use .pac files, etc.

And for several years it is just as secure as chrome and is w3c compliant and can render pages properly

Microsoft Standard Response:

[tomxor]

Thank you for the feedback.
This issue is no longer reproducible in the latest build of Microsoft Edge on the Windows 10 Insider Preview <build-number>.

Best regards,

The Microsoft Edge team

From personal experience i'd expect that is the current likely response to any IE11 bug where you give irrefutable evidence, clear and concise explanations and isolated test cases.

Selectively naming things obsolete when it suits.

Before Edge it would have been "does not affect enough users, will not fix"... Microsoft do not understand the concept of an evergreen browser, if Edge doesn't forcefully replace IE11 then they just fucked everyone again.

Re:

[Anonymous Coward]

Neither does google.
Or Apple.
or..

Think about the three things you can do as a consumer: Complain, Escalate, Publish.

Re:

[tomxor]

Obviously you dont understand what an evergreen browser is either.

Evergreen browsers enable continuous obsolescence of old versions... making another product and ceasing development on the current one instead of replacing it completely fucks this model.

Re:

[drinkypoo]

Microsoft do not understand the concept of an evergreen browser

What? Because Microsoft is getting rid of software which is architecturally unrepairable, they don't understand the value of keeping good software around? Look, there's lots of good reasons to hate Microsoft, you don't have to make up idiotic shit like this. iexplore must die, don't get in the way.

Custom allocator

[Alioth]

This sounds awfully familiar...OpenSSL had a critical vulnerability because they had decided to write a custom allocator instead of using the one provided by the OS. You would think IE developers, with their product being WIndows-only and strongly tied to Windows would never dream of reinventing the allocation wheel, especially as Windows memory management in general has had a huge amount of work done on it in the last few years to make it harder to exploit memory allocation bugs.

What?

[pahles]

There was a bug and now there is a patch?

Do like Firefox

[Anonymous Coward]

Warn users and make them click to run IE every time.

This is...

[calexontheroad66]

A gift that keeps on giving...