MS Issues Emergency IE Security Update

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

Pwn2own strikes again

[sxedog]

Amazing... that was only a week ago!

Re:Pwn2own strikes again

[amicusNYCL]

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.

Re:

[steelfood]

Actually, your analogy would be asking everybody who used a browser to know how to code.

On the other hand, it's a good for people idea to learn about the technology behind websites before browsing them. For example, knowing what javascript is, what flash is, what cookies are, what xml is and how it relates to web pages, etc. And they may want to know how to block or clear cookies and block javascript and clear cache.

And that's asking people to know the laws of driving, how to read the street signs, to know

Re:

[amicusNYCL]

And that's certainly not too much to ask.

It most definitely is. I don't need to understand Blu-ray encoding in order to watch a movie, I don't need to understand how WEP works (or doesn't) in order to connect to an access point, and I don't need to understand how GSM or SMS works in order to send a text message. I don't need to understand how the Playstation network operates in order to play online, I don't need to understand how HVAC works in order to cool my house, and I don't need to understand how an electrical coil heats up in order to toas

Re:

[b4dc0d3r]

On one hand, the analogy was flawed and had to be corrected. On the other hand, the explanation was poorly done. A better explanation would be that people need to learn things about their browser in order to use it effectively. Like "too good to be true" probably means it's not true. Or there ain't no such thing as a free lunch. Common sense that says don't take unknown things from unknown people. That's what people forget - no other application has opened people up to identity theft just by operating

Re:

[Tim C]

That's what people forget - no other application has opened people up to identity theft just by operating it.

All the people who fell for 419 and similar scams by reading and replying to emails would beg to differ.

Re:

[vegiVamp]

The people who got 419ed didn't just operate their mail client (or browser, more likely), but actively responded, repeatedly, to an obviously too-good-to-be-true offer from someone they didn't know in a country they may not even have ever heard of, and then enacted one or more banking transactions to the same unknown factor.

It's like I'm driving my car on the highway, and I suddenly decide to follow an arrow that says "Promised Land" and points into a dark, foggy gravel road that goes in the direction of wh

Re:

[drinkypoo]

And that's asking people to know the laws of driving, how to read the street signs, to know what happens when roads get wet or are covered in snow, to know about dirt versus gravel versus asphalt versus cement, and how to react appropriately under each circumstance. And it's asking them to know how to use the e-brake or the tramsmission. And that's certainly not too much to ask.

I agree, but apparently no state in the USA does, especially not California. They'll give you a license anyway. Crap, by the time I had to take my driving test, you no longer even had to parallel park.

Re:

[thePowerOfGrayskull]

n the other hand, it's a good for people idea to learn about the technology behind websites before browsing them.

I agree it's a good idea - perhaps even foolish not to know this. At the same time, though, the purpose of computers for *most people* is to simplify life. It's not a learning experience, it's a tool to get things done - whether it's watching videos, email, news, blog-gossip, etc.

From that perspective, which I agree that it is ultimately the user's responsibility, I can also understand how a typical user would be disinclined to go to any extra lengths to learn.

I think the car comparison is not apt -- a

Re:

[evanbd]

idiots who want to use what they don't understand deserve to get 0wned.

Totally. All those drooling idiots driving cars without knowing how to rebuild an engine and transmission are just asking for it.

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

Re:

[amicusNYCL]

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

If they're like a normal person, they learn from their mistakes and they don't do the same thing again.

Re:

[evanbd]

What about people that don't know they need to lock their doors when they leave the car, or change the oil on a regular basis?

If they're like a normal person, they learn from their mistakes and they don't do the same thing again.

Oddly, computers seem to be exempt from that. The same people get viruses, trojans, malware, etc, and keep downloading crap and failing to install updates, and it keeps happening. Most drivers seem to learn to change the oil after destroying an engine, but somehow computer users are different. Clearly there's plenty wrong with the software in the first place, but there's also something very odd about users who experience these problems and then both continue using the same problematic software and failin

Re:

[Spad]

Because it doesn't usually cost them thousands to repair.

Re:

[mcgrew]

The difference between cars and computers is, if you ruin your engine by not changing the oil, your mechanic will tell you "look, you have to check your oil regularly and change it on schedule or you're going to ruin the new one I just put in."

If Mechanics were like the Geek Squad they'd tell you that having your engine blow up periodically is normal and expected. And taking a computer to Best Buy is what most people do.

Re:

[hesaigo999ca]

I agree to a certain extent with your comment, especially using a car as a main example to describe computer usage.... I wold never drive a car without having taken courses first, and even then, some people are such bad drivers, it is not because they own a car they pass the test to drive.
As well i would also try to force them to realise more the conduct on the road as a blueprint for
surfing the web...road signs need to know how to read them and use them to avoid traffic, or jams, or to know when to stop...

Re:

[Ollabelle]

Oh come on now.

What part of the story of the family in a decrepit Lexus with worn-out brakes doing acceleration overtime wasn't true? THAT's what got this Toyota-bashing story started. And even Toyoda himself admitted it - they got greedy and too big too fast.

Re:

[smash]

IE has its place in corporate networks. Like it or not, there is plenty of software that people use every day to GET THEIR JOB DONE that does not work in anything else. If patched and placed behind an appropriate filtering proxy/firewall IE security is manageable with security zones and group policy. Plenty of idiots run IE, and yes they get owned. Plenty of idiots run linux and get r00ted as well (I used to be one, before I knew shit from clay - i had a couple of boxes r00ted back in 1999).

A competen

Re:

[perryizgr8]

ie just needs to go. big companies are still holding fast to win xp. would you say that refusing to let go of a 10 year old software is justified? ie6 is also 10 year old i think.

Re:

[smash]

I rolled IE8 out at work without issue. We still need IE as there is shit written that uses ActiveX, etc and the migration cost is just too large. Having one admin spending 10-20 minutes a week approving critical updates and writing a competent group policy is far less costly.

Re:

[vegiVamp]

I agree that there is stuff that doesn't work in anything else, but it can be argued that the stuff needs fixing, then.

If my car were to work only on Belgian roads, I would be rather quick to either get it fixed or swap it for one that works on all roads.

Re:

[smash]

Thing is if you deploy something else you've just doubled your browser maintenance, as IE is out there whether you like it or not. At least IE can be updated via WSUS and controlled via GP - Firefox/Chrome/Opera/etc can't.

How is "MS releases emergency patch" news?

[Colin Smith]

This is normal. Expected. Everyday life for millions of Windows users.
 

Re:

[DAldredge]

Like other operating systems don't have patches?

Re:

[dudpixel]

what about emergency ones?

in my experience these are VERY rare, except on Windows.

Re:

[DAldredge]

Then your experience is so limited as to be nonexistent. Oracle, IBM, Sun(RIP) and nearly every other major software house on the planet has released some sort of emergency batch.

Re:

[techno-vampire]

I won't say that no Linux distro or program ever releases an emergency patch, but when they do, most users don't know it's an emergency. Why? Because unlike Microsoft, they don't try to stick to a once-a-month release schedule for patches, so they don't have to make a special announcement or tell the world that it's an emergency; they just release it along with whatever other patches, updates or upgrades happen to be available at the moment.

Re:

[dudpixel]

read it again. I didn't say emergency linux patches dont exist, I said they are rare. At least not as common as windows ones.

Re:

[DAldredge]

You didn't limit your original post to just Linux now did you?

Re:

[dudpixel]

Well I did say "in my experience" - but you weren't to know what that was...

Re:

[perryizgr8]

that's only because of ms' well-known agility, lol, others are just too slow/lazy.

Re:

[dudpixel]

apparently its not as "well-known" as you think.

Re:

[perryizgr8]

its called sarcasm.

Re:

[dudpixel]

I had a feeling it was - but you just cant be 100% sure these days.

Re:

[MacWiz]

Like other operating systems don't have patches?

Occasionally, but not every other Tuesday for the last 10 years or so, sapping the productivity of the entire corporate spectrum on a regular basis. And how many "emergency" patches has IE had already this year?

Re:

[DAldredge]

If only Microsoft made a product that allowed you to control what updates got sent to your systems.  They could call it something like Windows Server Update Services.

Oh! they do make such a thing http://en.wikipedia.org/wiki/Windows_Server_Update_Services

Re:

[MacWiz]

Oh! they do make such a thing

I wouldn't know about such things. I use a Mac.

Re:

[DAldredge]

Then why are you talking about things you don't know about as if you do?

Re:

[MacWiz]

You're making a leap there, pal. I didn't know about the patch management tool -- but I wasn't talking about it.

As for the rest, I read the news. It's amazing what one can learn. There's a story about Microsoft security patches pretty regularly. The "Security Fix" column at the Washington Post is an excellent source of information, although just about every tech publication will front-page an article about a new MS patch because it's always an "emergency." Anyone with reasonable intelligence can see that st

Re:

[perryizgr8]

most people wont even know. i hate windows. but i have to agree, the updating is pretty seamless, and invisible to the user. ubuntu needs to learn.

Re:

[vegiVamp]

You mean, like the "Install security updates without confirmation" option that's in my two-versions-behind Ubuntu ? Oh, right, you mean the "reboot for nearly every patch" kind of seamless, yeah, you're right, that's missing from Ubuntu.

Re:

[perryizgr8]

i don't know if i'm doing something wrong but on ubuntu 9.10, it pops up an ugly update list and waits for me to click update and enter my password. if there is a way to tell it to do so automatically please tell me, i'll be glad to hear it.

Re:

[vegiVamp]

The way you'd expect: right-click on the notification icon and click preferences.

Well, on my 8.10, that is - I assume it won't have changed much.

Re:

[perryizgr8]

it may be fast, but it sure SUCKS!

Cnet link not really informative

[Bearhouse]

Ms link here:

http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx [microsoft.com]

No real sweat for IE8 on Win7...

Better links here:

[Anonymous Coward]

Link 1 [mozilla.com]
Link 2 [opera.com]

Re:

[Lunix Nutcase]

Firefox 3.6.2 addresses critical vulnerability [cnet.com]

Opera vunerability that the company denies is a vunerability [softpedia.com]

You're better off running Chrome.

Re:Better links here:

[Ron Bennett]

Firefox is nice and is my default browser, but not much better than IE8 when it comes to security vulnerabilities.

For example, many feel Firefox is so much more secure than IE8 and yet why is that pop-unders (not the same as pop-ups, which FF does a good job blocking) from the likes of Netflix, even after years of complaints, still hasn't been addressed?

Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things. Despite being an open-source program, I'm surprised there's still no built-in defense against pop-unders in Firefox. Yes, I know there's Adblock, but that comes with a bunch of overhead and, from what I've read, doesn't always block pop-unders either. End of rant.

Re:

[Paradigm_Complex]

Surely, if unwanted pop-unders can slip through in Firefox, likely so can other unwanted things.

That's a non sequitur. Consider: The Firefox developers do not view disabling pop-unders as anywhere near as important as ensuring the browser is secure. The fact that the developers did not put the time and effort into disabling pop-unders does not mean they aren't able to keep Firefox secure.

I'm not saying that Firefox is secure so much as that your reasoning is faulty. You could try to argue that the Firefox developers don't have care about end-user complaints, or something along those lines, with

Re:

[abigsmurf]

I just wish Firefox wouldn't go crazy when you get a popunder and switch to a random open window. This bug has been around for years and it's pretty irritating. Why hasn't it been addressed yet?

Re:

[Richard_at_work]

I wish that a modal dialog window in one tab wouldn't block the entire browser - cannot switch tabs, cannot do anything other than acknowledge and dismiss the dialog window, which kind of fucks everything up when the modal dialog is caused by infinitely looping code :(

Re:Better links here:

[Enderandrew]

If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

I was reading AintItCoolNews with Chrome, and some ad in the background downloaded and opened a PDF without asking me, which Microsoft Security Essentials was quick to report had malicious code in it.

With Firefox and Adblock Plus, I never see ads. Where are most of these exploits going to originate from? Ads.

Re:

[Smooth and Shiny]

There is AdBlock for Chrome as well. Seems to work fine on this end.

Re:Better links here:

[aztracker1]

Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.

Re:

[Jugalator]

If you set up Chrome to use a script-based whitelist, you essentially have a poor man's NoScript. It's then also easy to to unblock certain sites you come across, by using the rightmost omnibar icon that will show for all pages that have js blocked. (a scroll of paper with a cross mark)

Re:

[smash]

squid+squidguard. done.

Re:

[Jugalator]

If Chrome had a better ad-blocking solution, I'd agree with you. All the Chrome ad-blockers still render/run the ad in the background

Since Chrome 4.1, I just use the browser blacklist for the annoying domains to prevent running Javascript and plugins (= Flash).

It instantly cleans at least two major newspapers here, as a whole lot of advertising is JS or Flash-based, or both. And makes them faster than I have ever seen too, as a bonus.

Browser black/whitelists with forced includes/exceptions for js/plugins/images is in all OS editions of Chrome since the latest betas for the respective operating systems.

I think I filed, or at least voted o

Opera troll fail

[clang_jangle]

Opera vunerability that the company denies is a vunerability

Following that link, I see:

the vulnerability was confirmed in Opera 9.10

That's pretty old. I'm using Opera 10.10 (on FreeBSD) here...

Re:

[Lunix Nutcase]

So by this logic one should just ignore any exploits in IE6 just cause most people are using IE7 or 8?

Re:

[perryizgr8]

chrome is great. i've been using it on ubuntu. but it gets sluggish after a day or two. firefox's performance is consistently slow, but it IS consistent. opera simply sucks. opera mobile on my e71, its the best browser on a smartphone. (i don't consider the iphone to be a smartphone cause it can't run >1 apps)

Re:

[FictionPimp]

How else can they keep you safe?

Re:

[Animaether]

why even bother with those... just point people to http://www.browserchoice.eu/ [browserchoice.eu] (and tell them to ignore the IE one, I suppose)

Re:

[moteyalpha]

Link 1 [mozilla.com] Link 2 [opera.com]

Why not just go all the way and get a real OS? [linux.org]
And ceiling cat sayed: "Let there b lulz", n there wuz.
Or even chrome [google.com]

Re:

[abigsmurf]

The same Mozilla firefox that took a month to patch a publicly known exploit recently?

If anything, Firefox is more vulnerable to exploits because of its lack of sandboxing features.

Re:Cnet link not really informative

[malloc]

To me "No real sweat" != "Windows 7 - Internet Explorer 8 - Remote Code Execution - Critical "

Re:Cnet link not really informative

[natehoy]

Actually, it is.

This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.

One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.

Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".

Re:

[amicusNYCL]

No real sweat for IE8 on Win7...

How do you figure? IE8 on Windows 7 still has this classified as a critical update. It's moderate for IE8 on Server 2003 and Server 2008.

Re:Cnet link not really informative

[WrongSizeGlass]

Actually, IE 8 and Windows 7 are listed in that very link you posted.

Internet Explorer 8:
* Windows XP Service Pack 2 and Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
* Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems**
* Windows Server 2008 R2 for Itanium-based Systems

Re:

[SilverEyes]

Well, ... Windows 7 for 128-bit Systems isn't listed, so there!

Re:

[randallman]

Yea. Except for the ones marked "Remote Code Execution" and "Critical". No sweat.

Re:

[Whatchamacallit]

IE8 on Win7 (32bit/64bit) is just as vulnerable, re-read that bulletin!

This emergency update includes the CanSecWest fixes where they 0wned a Win7 IE8 system in minutes! There were a hundred Microsoft employees at CanSecWest and they were left scratching their heads because they didn't understand the exploit right away. It was a sophisticated manipulation of realtime memory locations.

OS versus Browser

[sunderland56]

If this is an IE bug, why does it only affect some operating systems and not others?

If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?

Patch releases really need a "info for geeks" section.....

Re:

[blair1q]

the less they say about some things, the fewer people make with the gefingerpoken in the sploit vat

that doesn't help you with your security, it helps them with theirs

Re:

[ivonic]

The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.

Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some

Re:

[bloodhawk]

because depending on your OS versions there are built in mitigations that are not directly related to the browser such as DEP/NX ASLR and in the case of the Server OS the browser is locked down tight by default. And yes some of those same protections that windows provides for ie are also available to firefox. The net effect of the various protection mechanisms means a vulnerability has differing consequences depending of the OS version and Architecture (x86/x64).

Re:

[mrsurb]

If only /. were populated by people using a minority operating system that had comprehensive package managers to take care of their updates.

My solution

[stonewallred]

I just don't use any browser. I refuse to use one that is not 110% secure. Plus it saves me tons of money by not having to pay for internet connection. When I really need to cruise the web, I just plug in the brainstem actualizer and use an avatar to swim through a virtual reality version of the net. And I fight off viruses and malware using a lightsaber. Ya'll really need to come to the real geek heaven.

Re:

[Alien1024]

Very practical, but beware the consequences [imdb.com].

Reboot???!!

[jon_cooper]

Why on earth do I have to reboot my system just to patch a web-browser????

Grrrrr!!!

And yes, that was a rhetorical question.

Re:

[imakemusic]

And yes, that was a rhetorical question.

Sure but is this?

Introducing: Polymorphic Patch Engine Technology

[symbolset]

We all know that one major problem with the Microsoft platform is that it's homogeneous. No matter how many times we hear the "ground up" reengineering story, we get these exploits that work vulnerabilities in a common code base. All of the platforms use the same code. All code has bugs, and one bug might grant entry, while two more might grant privilege escalation, and so once an exploit is found all the machines with that code base are pwned. The solution to this problem is deviously simple: do everyth