Microsoft Issues Workaround For IE 0-Day

Orome1 writes "Microsoft has issued a security advisory with advice on how to patch a Internet Explorer zero-day vulnerability recently spotted being exploited in the wild by attackers that might be the same ones that are behind the Nitro attacks. News that there is a previously unknown Internet Explorer vulnerability that is actively being misused in the wild by attackers that are believed to be the same ones that are behind the Nitro attacks has reverberated all over the Internet yesterday."

MS advice on how to patch a IE zero-day vulnerabil

[Anonymous Coward]

Click [firefox.com]

Re:

[Stan92057]

Ya think too small

http://www.ubuntu.com/download

Re:

[helix2301]

All but one supported edition of IE is affected: 2001s IE6, 2006s IE7, 2009s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide. The only exception is IE10, the browser bundled with the new Windows 8, which does not contain the bug.

Re:incoherent summary

[vlm]

What does this even mean? Is it the same 0-day? Is it a different 0-day? Can we get some editing up in this bitch or what?

There's so many it doesn't really matter. They'll be another next month, and the month after that, and the month after that.... You can safely assume that at any given instant there exists at least one active zero-day infecting IE users.

Re:incoherent summary

[LordLimecat]

Last time I had looked into it, IE9 was more secure in several ways than Firefox. It also had comparable number of security holes.

Have things changed substantially in the last year?

Re:

[Anonymous Coward]

No, they have not changed and your analysis is correct. However, be prepared to be modded down and called a shill. Your sane post is like trying to tell religious zealots that they might have some facts wrong. The folks here are pretty well biased against IE even when it does do something right.

Re:

[Rytr23]

This is Slashdot, err, I mean DiceNewsAggregator, only Anti-Microsoft comments are permitted. Also to truly fit in, one must refer to Microsoft as M$- see the dollar sign is super clever and shows your OSS cred.

Re:

[Anonymous Coward]

No... Sadly that /. back when it was a cool place to live.

Nowadays everytime there's some pathetic headline making people happy to be using Linux / OS X / any other browser than IE you can expect a lot of six and seven digit /. ID numbers to pre-emptively whine about how pro-MS comments are going to be called out as shills.

Now, according to you, what exactly would a MS shill post here?

Something saying how remote admin holes by simply opening a website happen all the time for Un*x users out there?

Last I chec

Re:

[beep54]

Rather than Chrome, which has a nasty tendency to phone home, mention Chromium which one can now easily install (used to be kind of a bitch) for Windows. I find I need this because for some time now Firefox and flash have not played well together. It's sort of hit or miss. Sometimes flash works; sometimes it stutters or worse, freezes. Newish update; we'll see what that does, but it looks very incremental. And yes, I realize that Firefox has that problem with the address bar. But, basically I've never reall

Re:

[LifesABeach]

I think I'll take my chances using browsers native to Linux. Of all the things that alienates me from m-$ is their pompous grinning while showing off; it creates no life.

Re:

[LordLimecat]

Obviously my post was not referring to "on linux". But even there, my understanding is that, security-wise, Firefox is in second or third place (not really sure where Opera stands...).

Re:incoherent summary

[smooth wombat]

IE9 was more secure in several ways than Firefox. It also had comparable number of security holes.

Oh really? You might want to check what Secunia has to say on the matter.

For IE 9 [secunia.com]

For Firefox 15 [secunia.com]

The two aren't even close in terms of vulnerabilities. Too soon for Fx 15? Let's go with the 14 version:

Less than half the problems [secunia.com].

And one more for good measure; Firefox 13 [secunia.com]. Again, less than half the vulnerabilities of IE 9. Even the unpatched vulnerabilities for Firefox are less critical than the ones for IE 9.

So yes, things have changed substantially in one year. Either IE 9 has gotten worse or Firefox has gotten better. Take your pick.

Re:

[LordLimecat]

The problem is that IE9 doesnt do a rapid-release cycle like Firefox does, so all of its 9 point releases since 9.0 in May 2011 are considered the same product. That total of 60 vulns you see spans a year and a half. Firefox 14s spans about 8 weeks (July 17)-- which makes that "32" a LOT scarier. To boil it down, Firefox 14 had ~4 vulns per week since release, while IE9 has had less than 1 per week.

To do a more fair comparison you would need to total up the number of unique vulnerabilities for Firefox 5.

Re:

[LordLimecat]

You get numerous prompts before you can run an ActiveX control. By default, "activeX filtering" is turned on which basically prevents any controls from running till you allow it-- kind of like flashblock or Chrome's java controls.

And really, theres not much difference between an NPAPI plugin and an ActiveX control that Im aware of; when antivirus products use NPAPI for filtering and antivirus (WebRep), it tells me that theres not much a firefox plugin DOESNT have access to.

All of this really misses the for

Re:incoherent summary

[Chrisq]

What does this even mean? Is it the same 0-day? Is it a different 0-day? Can we get some editing up in this bitch or what?

With Microsoft you can make every day a 0 day!

Re:

[Joce640k]

Simply put, it means you have to deploy the Microsoft Enhanced Mitigation Experience Toolkit.

Re:

[LifesABeach]

I think enhancing what I've already experienced with Microsoft IE would be like using steal wool to cure hemorrhoids.

Re:doublepost?

[mwvdlee]

It may be that the same thing is mentioned twice in a very short summary of the story, but that the same thing is mentioned twice in a very short summary of the story does obfuscate the lack of content. That is why the same thing is mentioned twice in a very short summary of the story. Why else would it be that the same thing is mentioned twice in a very short summary of the story?

Re:

[ciderbrew]

It may be that the same thing is mentioned twice in a very short summary of the story, but that the same thing is mentioned twice in a very short summary of the story does obfuscate the lack of content. That is why the same thing is mentioned twice in a very short summary of the story. Why else would it be that the same thing is mentioned twice in a very short summary of the story?

Can I quote you on that?

Load Firefox?

[jfdavis668]

The work around is load firefox or chrome.

Re:Load Firefox? Can't replace everywhere.

[cant_get_a_good_nick]

I remember that when Microsoft bound IE to the OS back in Win95, IE is now everywhere. That Windows Explorer window? Now subject to IE attacks. That HTML pane in Outlook? Now subject to IE attacks. That help window in SomeGame 2.0? Now subject to IE attacks.

I'm not sure how true this is now, but a guess is that it's still much this way.

Re:Load Firefox? Can't replace everywhere.

[pointyhat]

You speak with authority but do not understand the principles and abstractions.

It's called COM. Windows is based on COM. It allows components to be reused, which is good design and good practice.

This is the same concept as WebKit being a shared library on Linux and gnome help, gnome file manager and Epiphany importing it.

I they discovered a WebKit hole: waah waah whinge whinge there is a hole in Gnome Help - save us all from the 0-day

That complaining never happens but if Microsoft fall to the same thing, they get slated. Hardly fair is it?

Re:

[RenderSeven]

It allows components to be reused, which is good design and good practice

It's only good design practice if the shared components dont royally suck.

Re:

[pointyhat]

To be honest they have shipped more boxes than anyone in history.

WebKit has had its fair share of exploits over the years. I first worked with it when it was known as KHTML and have followed it over the years.

I work for a corporation that has source access for IE (MS shared source) and it's a remarkably well put together product which equals WebKit.

Re:

[chrish]

Unless things have changed in the last ~2 years, Outlook rolls its own HTML/CSS/JavaScript engine to avoid IE issues like this.

Unfortunately, it opens Outlook up to their own HTML/CSS/JavaScript related bugs, and their implementation is half-assed like old versions of IE (that is, you can't expect HTML and CSS to work normally, even for features that Outlook implements).

Sorry, PTSD moment from having to "fix" HTML newsletters for Outlook once upon a time...

Re:

[gman003]

Hey! I use Opera, you ignorant twat!

Re:

[fast turtle]

Whahh Whahh! You've got Bugs!!

I use ESP to surf the web. Works so much better and there's lots of 0.025 cents out there to accumulate.

Re:

[wonkey_monkey]

+1 Smug.

Workaround is stupid

[Anonymous Coward]

Disable ActiveX and then demand it runs to "Prompt" in both Internet AND Intranet????? This is NOT a "work-around." A work-around would be how to allow our users to continue running without being prompted to run or not run things they don't understand and don't want to.

Or install an alternate browser.

Sheesh, is the Internet really worth this crap? Really?

Re:Workaround is stupid

[Robert Zenz]

Fun fact: Forbidding ActiveX and similar things in Internet Explorer yields interesting site effects, f.e. that Visual Studio can't display error messages or the Help anymore.

Re:

[GNious]

try disabling ActiveX on you WAN/ADSL/whatever router - has fun effects on all sorts of things in Windows 7

Re:

[shutdown -p now]

This shouldn't be the case from VS 2010 onward. The help system there has been reworked completely to be browser-based (rather than requiring its own client as MS Help 2.0 - the thing used in VS 2002-2008 - did), and should work in any browser, not just IE.

Re:

[Anonymous Coward]

Or install an alternate browser with No-Script.

FTFY.

Re:

[Anonymous Coward]

The equivalent in Chrome/FF is to disable Java, which makes ActiveX looks secure.

Re:

[Anonymous Coward]

Running actual native executables from remote sources is more secure then Java?

Re:

[Bryansix]

Sadly, yes.

Tired of the IE hate...

[Anonymous Coward]

Seriously, I don't use IE at home but until Chrome, Firefox, or Opera have tight integration and customization that can be centralled managed (GPO) IE will be the defacto standard browser for a lot of businesses. As an IT Manager I have tried repeatedly to move to a different browser and the tools to manage them just aren't there.

"Hahaha those losers use IE, they suck they should just switch to chrome" are not helpful comments and show just how little you know about the many current business environments. Your beloved Chrome and Firefox, by their actions, don't want to be the default browsers in business. They just don't. That leaves us with IE which, despite these 0 days and standards issues, is superios in every way in a Windows comprate environment. Until that changes IE will be what many businesses use because browser management is just so easy it's automagic.

And those Linux folks, switching to Linux isn't helpful either until some sort of same tier GPO management alternative that has simple interpoability is available. We could actually drop Windows and go full linux if I could gain the control I get from a Windows environment.

Disclaimer: I use Firefox, Opera, Ubuntu, and Mint at home.

Re:Tired of the IE hate...

[NatasRevol]

The question is why you need to manage a browser so much.

Re:

[Anonymous Coward]

The question is why you need to manage a browser so much.

Define browser behavior for specific vendor (state, federal governments) websites and zones
Homepage
What is allowed to be installed
Favorites
Preferences for appearance
Internet and Proxy settings

the list goes on and on.

Re:

[LordLimecat]

Chrome, with its adm templates. See above. Its actually really manageable-- unlike firefox, they put some time into the business side of things.

Re:

[Billly Gates]

I like having intranet and internet zones.

Java sucks goatballs. Old java especially but it used heavily in intranet apps and with IE I can use that POS java with 30 exploits only on the intranet so they wont get 0wned on the internet. That is one thing IE has that the others do not.

Re:

[LordLimecat]

False. Google requires you to whitelist sites that want to use Java, and also has click-to-play for java on top of that. Both (IIRC) can be managed by the above mentioned ADM templates, as can which plugins are allowed, what extensions are mandatory, etc.

What alternative do you propose?

[dgharmon]

It's not the browser but the underlying Operating System that is at fault.

distrowatch [distrowatch.com]

you are doing it wrong

[Anonymous Coward]

You are doing it wrong. You are creating a tightly integrated application with IE/browser. Bad idea from the start. Then you are locked in forever till someone funds another tight integration. Your benefiting from IE infrastructure, but the world is messed up b/c you are stuck in 1990s.
So pls stop doing it or stop calling whatever you created a browser and make sure you exclude them from external network usage so we do not have to fell the pain caused by you decisions.
BY THE WAY. If you have to control your

Re:

[sys_mast]

I'll feed the AC....

What is everyone addiction to setting the homepage? I can see defaulting to a company intraweb or some portal. But WTF if someone feels they are more productive with some random web app or other data source or even google as their home page why lock them out of it?

I guess some sort of Kiosk, but there are better special built kiosk apps that work better than IE. (though they may use IE to render)

Maybe I'm missing the point.

Re:

[gl4ss]

I'll feed the AC....

What is everyone addiction to setting the homepage? I can see defaulting to a company intraweb or some portal. But WTF if someone feels they are more productive with some random web app or other data source or even google as their home page why lock them out of it?

I guess some sort of Kiosk, but there are better special built kiosk apps that work better than IE. (though they may use IE to render)

Maybe I'm missing the point.

well, the reason to use ms's enterprise deployment of ie settings is that then you can make the browsing experience secure.

oh wait..

Re:

[beep54]

"What is everyone addiction to setting the homepage?" Guessing you meant 'why' there. Pretty much the first thing I want to go to when the browser comes up is email, so it is handy for it to be there. But if I am feeling more paranoid, I just set it to blank page.

Re:

[pouar]

Define browser behavior for specific vendor (state, federal governments) websites and zones
Homepage
What is allowed to be installed
Favorites
Preferences for appearance
Internet and Proxy settings

I can do that with firefox already

Re:

[Billly Gates]

The question is why you need to manage a browser so much.

Quick real-world answer. Java! Not modern java, but the insecure 30+ security hole java 1.4.1, not java 1.4.0, or 1.4.2, but 1.4.1. Kronos requires it and therefore leaves these HR payroll specialists wide open with a bulls eye target. Solution? Create a special GPO just for the HR payroll group with java 1.4.1 only accessible for the intranet kronos site.

Scenario 2, in the same orgamization java is required for Bank of Montreal for some line of credit apps. Java 7 which is more secure wont work. However, i

Re:

[NatasRevol]

So, the simple answer is security. Fine point, but then if you didn't run on Windows...

Re:

[Anonymous Coward]

Google has an enterprise deployable msi installer of chrome, along with a gpo addin to manage chrome. Your statement is false.

Re:Tired of the IE hate...

[LordLimecat]

Chrome can be deployed by MSI [google.com] and managed by GPO. They have the ADM [google.com] templates right on their site.

Re:

[pointyhat]

It still can't be patched via WSUS though which means uncontrolled updates.

Re:

[Anonymous Coward]

*Uncontrolled updates that also saturate your business's expensive WAN link instead of coming from a local server.

Re:

[pointyhat]

Spot on :)

Re:

[NetCow]

Sure it can:

• Microsoft's solution: System Center Configuration Manager [microsoft.com]
• Free + OSS solution: Local Update Publisher [sourceforge.net] (uses the same official, documented APIs as SCCM)

The enterprise MSIs are patched in sync with the other updates. Managing Chrome via LUP + the Chrome ADMs is a breeze, since if an "uncontrolled" (LocalAppData) Chrome instance starts and there's a MSI on the machine, the uncontrolled instance will respect the GPO settings.

Link to actual security advisory

[Anonymous Coward]

http://technet.microsoft.com/en-us/security/advisory/2757760 [microsoft.com]

Linking from "Microsoft issued an advisory" to submitter's site is kinda lowbrow.

Stupid Summary Is Stupid

[acoustix]

Workaround != patch.

The soluton is don't use Windows ...

[dgharmon]

It never ceases to amuse me, the glazed look on peoples faces when they ask me how I deal with Windows viruses and I explain I don't use Windows ..

Distrowatch [distrowatch.com]

Re:The soluton is don't use Windows ...

[pointyhat]

I haven't had a Windows virus since I started using it 24 years ago and I've used IE all that time.

Then again, I don't go surfing pr0n, cracks, warez, torrents, rapidshare, mp3 sites etc.

Intimacy with the wrong people is only going to end in an STD regardless of which prophylactic device you or they wear.

Re:

[Anonymous Coward]

There's still the threat of compromised 3rd party ad servers spewing malware from otherwise credible sites. Safe browsing habits won't save you from that. Even if you know what you are doing there's always a chance that you can get hit.

Re:

[StuartHankins]

Anecdotal evidence is anecdotal. You can get infected using Windows simply by visiting Google, seeing ads on mainstream sites etc. It's happened to us during setting up new installs. It's not too hard to do. We no longer search for drivers until the AV is installed; previously drivers came first.

Re:

[RaceProUK]

Internet Explorer users don't check for updates let alone understand what zero-day means.

Oh, right. Fail IT departments who have kludged apps that require IE because the management was incompetent.

FTFY

Re:

[Bryansix]

Which is interesting because they DO want Intranet and Internet zones to be set to high. This is absurd.

Some other workarounds

[ultrasawblade]

Firefox Issues Workaround for IE 0-Day
http://getfirefox.com/ [getfirefox.com]

Chrome Issues Workaround for IE 0-Day
https://www.google.com/intl/en/chrome/browser/ [google.com]

Beh

[Hognoxious]

Submitter is a idiot.

Re:

[fatphil]

There's nothing stupid about trying to increase the number of page impressions on a site which carries ads.

A dick, perhaps, but not necessarily stupid.

EMET not effective

[manu0601]

MS suggests to use EMET (a tool that enfonrces ASLR and DEP), but Brian Krebs reports that this does not really plug the hole [krebsonsecurity.com]