New IE Zero Day 305
RebootKid writes "Microsoft has released a notice about
a new zero day attack against Internet Explorer. Guess it's going to be more a 'Script Kiddie Christmas,' less of a 'White Christmas.' 'Ok, fess up — who asked for an IE 0 day for Christmas? I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue which manifests itself when a specially crafted web page is used and could result in remote code execution on the client.'"
Misleading report (Score:1, Informative)
Microsoft is not being entirely straightforward in their report. This is not an IE bug. It is a .Net bug in mscorie.dll. Mscorie.dll is not required by IE. (IE works just fine, so to speak, without .Net.)
Re:Merry Xmas (Score:0, Informative)
And you're still a troll. And if you think that simply running Linux automagically protects you from any threat of malware, you're also an idiot.
net zero; +1 MS -1 for MS (Score:5, Informative)
Well the (+1 score) is that they have called for using the “The Enhanced Mitigation Experience Toolkit” (EMET) tool to mitigate the problem. The bigger question is why is EMET not a part of the OS proper? If the EMET tool is capable of solving this problem then why the &83$$@# didn't they force an install of EMET to solve all the Adobe issues? Why are they NOT stepping forward to fix all the third party application security issues?
What security features can you add with EMET?
Dynamic Data Execution Prevention (DEP)
Structure Exception Handler Overwrite Protection (SEHOP)
Heap Spray Allocation
Null Page Allocation
Export Address Table Access Filtering
Mandatory Address Space Layout Randomization (ASLR)
Now I have several questions, like why is this not part of the OS? Why is it not a default where these can be turned off on a case by case basis? Have untrusted browser plugins? And why isn't Flash/acrobat/shockwave forced to run under it? Admittedly Acrobat-X (sandboxed version of Acrobat) is a step in the right direction, but wouldn't it be better to have all applications turned on by default?
The Enhanced Mitigation Experience Toolkit 2.0 is Now Available
http://tinyurl.com/28znulg [tinyurl.com]
Re:Terrible, terrible and juvenile summary. (Score:3, Informative)
I don't see anything wrong with the summary. It inserted some comic relief & levity, but still got the message across. Just as that comedian does on Comedy Central's daily news show.
Re:net zero; +1 MS -1 for MS (Score:5, Informative)
DEP and ASLR both cause problems with lots of poorly written software, which is why they're only enabled for executables that specifically flag themselves as working with DEP/ALSR.
Re:Okay, here's a question ... (Score:5, Informative)
Microsoft has released a notice about a new zero day attack against Internet Explorer.
And this is noteworthy why? How many Slashdotters use Internet Explorer for anything other than the occasional WindowsUpdate in XP? This may be News for Nerds, but it hardly matters. Everyone here knows very well that Internet Explorer is too dangerous for general Web use. That Microsoft is suffering yet another security failure doesn't really elicit much interest from me, I must say.
Weeellllll, that's the stereotype, sure, but the on-the-ground reality paints a different picture.
Surely you've noticed that Firefox 3.6 is up to its 13th point release since January,and #14 is just around the corner. The first Secunia security advisory for this browser was issued within weeks of its initial release, and there now have been 11 in total, covering 85 separate vulnerabilities in Firefox 3.6. Look at SA42517 for an example, which was published two weeks ago. In that one advistory alone, 13 different security bugs are addressed, covering a wide variety of attack vectors like large Javascript arrays and large parameters to document.write(). And when you look at the fixes made in source control to patch these bugs, you sometimes scratch your head and wonder, how the fuck did they miss that when coding it?
But the problem with Firefox is worse than that. On Windows and Mac OS X, users are prompted over and over again to install these point updates. It requires elevation to Administrator privileges, and it requires restarting the browser. I see people routinely ignoring these updates because it'd interrupt what they're doing..... and the web server logs I have access to are a mishmash of Firefox browser versions.
This is a browser with 25% of the worldwide marketshare -- more than any version of Internet Explorer save for version 8.
So.... how about Google Chrome, you say? Their patching setup is far superior (that's why I use it), but it's not like the browser is any better-written. Just this month there have already been eighteen disclosed security vulnerabilities. And that's only slightly worse than average for a month in Chrome land. There are actually a number of Google Chrome bugs which are marked as only affecting the Linux version, too. Look at CVE-2010-4041 for an example of what I mean.
What I'm trying to say here is this -- Internet Explorer's security profile isn't significantly different than the other major vendors. They all have poorly-coded browsers that focused on packing the features in, without taking due consideration to the safety of the code they're writing. If you want to single out Microsoft for criticism, let's talk about the fact that they take so long to get these fixes out, and that reboots are often required to get the patches in place. That's where Firefox and especially Chrome are ahead.