Microsoft Patches Remote Code Execution Hole for Internet Explorer 56
mask.of.sanity writes: Microsoft has released an out-of-band patch for Internet Explorer versions seven to 11 that closes a dangerous remote code execution flaw allowing attackers to commandeer machines. From their advisory: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability." The attack could assist in watering hole and malvertising campaigns. The Windows 10 Edge browser is not impacted.
Re: (Score:3, Funny)
Wait, so IE6 isn't affected???
Re: (Score:3, Insightful)
This bug has been around since IE 7? Wow, this just confirms that MS will only patch bugs once others find them and then they have to work on fixing them.
Most IEs, even the recent ones, suffer from this bug. MS revealing these long standing issues affecting IE... isn't it a good way to promote Edge, the new MS browser not affected by this bug?
Re: (Score:1)
isn't it a good way to promote Edge, the new MS browser not affected by this bug?
It certainly is. The update also probably goes ahead and downloads Edge for you, since they know you obviously need it. And since Edge only runs on Win10, the update probably downloads that for you, too. All part of the new Microsoft: patting you on the head and tucking you in at night.
Re: (Score:2)
Better boot up my XP box and let it update, then!
Free Windows 10 at last! Woo-hoo!
Re: (Score:3)
Of course it is, in the same way that discovering that all the models of a car made by a certain company to date explode on impact makes me want to run right out and buy their slightly different newest model designed and manufactured by the same company.
Re: (Score:3, Insightful)
This bug has been around since IE 7? Wow, this just confirms that MS will only patch bugs once others find them and then they have to work on fixing them.
So, what's your point? IE 7 through to 11 use the same Trident layout engine so it stands to reason one security flaw could affect IE 7 through to 11. Heartbleed was in OpenSSL's source for 3.5 years & Shellshock was in BASH since 1989 before anyone found them. Bugs can exist in software for years whether they are open or closed source.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Some companies simply can't migrate away from old software because of the nature of their business. I worked for a place that used a copy of JD Edwards (a godawful inventory management system from the 90s that was nearly sued into oblivion because of how buggy it was) that had last been patched in 1998, simply because they would have had to get authorization from the government to upgrade and that would have cost the company a bunch of money.
Re: (Score:3)
FTFY
Luckily, using buggy antiquated software that is unsupported and no longer receives security updates doesn't incur any cost / overhead at all!
It always baffles me to see incompetents who can't figure out that the most costly business move a company can make is to stagnate and refuse change with the times.
Re: (Score:2)
You shouldn't be running XP, It and IE6 are no longer supported, haven't been for well over a year now.
Re: (Score:1)
And that matters how? Who cares if it isn't supported by MS anymore? It wasn't supported by MS when it was out there really. They only have ever done the bare minimum so it doesn't cut into their profits.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
XP is fine, but why use IE on XP anyways???
Re: (Score:1)
Patch not for Windows XP...
Because: fuck you, you are not paying us money.
No one supports a particular version of a thing they made until the end of time, not even GNU/Linux distros. It's not some sort of M$ is teh evil situation.
Yeah Well (Score:2, Troll)
Ow. I think I hurt myself trying to make it through that post with a straight face.
IE is better than Firefox these days. (Score:3, Informative)
As an early adopter of Firefox I hate to admit this, but modern versions of IE are now better than Firefox is.
Earlier today we learned all about vulnerabilities in Pocket [slashdot.org], which as you may recall is part of the unwanted functionality that Mozilla forced on Firefox users [slashdot.org] earlier this summer.
At the end of last week we learned all about how Firefox makes unexpected HTTP requests when hovering over a link [slashdot.org].
Earlier this month there was a very serious bug that allowed web sites to access the files of Firefox users [slashdot.org]
Who uses IE? (Score:1)
Re:Who uses IE? (Score:5, Informative)
It's what everyone uses for downloading Firefox or Chrome on a new Windows machine.
Re: (Score:2)
It's what everyone uses for downloading Firefox or Chrome on a new Windows machine.
Not everyone. I use a USB stick on which stands the latest Ubuntu release to add a Linux OS on the machine. This is yet another way to install Firefox, but at least it doesn't depend upon IE.
Re: (Score:2)
Look around you. If there are 8 people in the room then one of them is using IE. If your room is full of statistically representative samples of the internet.
I congratulate you for not using IE. That doesn't mean there aren't literally millions of IE users out there.
Re: (Score:2)
Computer newbies, businesses, etc. :(
Re: (Score:2)
For the love of... (Score:1)
...all that is unholy.
" If the current user is logged on with administrative user rights , an attacker who successfully exploited this vulnerability could take complete control of an affected system."
When is MicroSoft going to get off their butts and fix their operating systems so that the first user is not defaulted to administrator rights or at least have the first user forced to make a 'normal' user account for normal usage? Even 'ancient' Linuxs only add the first user to sudoers so that they have to ex
Re: (Score:3, Insightful)
When is MicroSoft going to get off their butts and fix their operating systems so that the first user is not defaulted to administrator rights or at least have the first user forced to make a 'normal' user account for normal usage? Even 'ancient' Linuxs only add the first user to sudoers so that they have to explicitly invoke rootly powers.
Unlike Linux, Windows uses proper security tokens. Each process has it's own token governing what it can do to which resources. On Linux the "token" is - rather naively - a user id.
When you log on to Windows - since Vista - with an account with administrative rights, thee token that is created for the shell process is 1) stripped of all administrative rights and 2) given an integrity level of "normal". Integrity levels are also part of the token.
What it means is that *even when you log on as an administrato
Linux 101: Introduction to sudo .. (Score:2)
$su -c command
Re: (Score:2)
funny thing is that malware never seems to have any trouble elevating the rights without asking the user, while for legitimate software the user gets bombarded with prompts.
it's useless.
just like on osx as well the separation is useless. malware finds a way around.
Re: For the love of... (Score:1)
Or it fails with the message "Something happened". Whoever thought that was an appropriate message should be beaten with a rubber hose.
Re: (Score:2)
Well, technically it's an unexpected error. Which happened because your locale was not set to "en-us" - everyone who saw it generally was outside the US - Australia (en-au), Canada (en-ca), etc. For whatever reason, the tool accesses something by the locale rather than language, so when it tried to find an en-ca or en-au or en-uk image, it fails. Given it's something that shouldn't ever fail, well...
Re:For the love of... (Score:4, Interesting)
It actually goes a bit beyond this: even since Vista, IE has (by default) run with a *restricted* token that has even less privileges than the normal use. It is Low integrity level, meaning it can't interact with Medium integrity processes or write to most of the file system, registry, or other secured resources.
Unfortunately, as Microsoft is wont to do, they fucked up the sandbox. The default configuration of IE only uses Protected Mode (Low IL) for the Internet and Restricted security zones. Notably, this excludes pages hosted on the local machine. Now, if you've got a code execution bug in IE, you can use that to run a webserver (on localhost). That webserver can host the exploit itself. Then you direct your hijacked, sandboxed IE to the localhost page, watch as the tab's process gets re-launched with normal privileges, and then you compromise that new process. You can protect yourself from this by going to Internet Options -> Security -> Local Intranet -> Enable Protected Mode.
Similarly, the default "Don't notify me when I make changes to Windows settings" feature of UAC in Win7 (and above) is breakable; it's possible to get from medium IL to High IL (Administrator) if you have it enabled and are logged in as a member of the Administrators group. The fix is simple - just set it back to always prompting even for Windows settings (or do what I do, and have it actually ask for your password Sudo-style, though you need to use the Local Security Policy editor, secpol.msc, for that), or run as a non-member of Administrators - but most people never do any of these things.
Microsoft is aware of both issues, and has issued no fixes for them. The POC program to silently elevate an arbitrary binary from Medium IL is blocked by Windows Defender (and probably other antivirus programs) but it would be easy enough to disguise it in such a way that the AV programs miss it.
Re: (Score:2)
When you invoke a program that has a manifest which states that it requires some form of administrative rights, Windows will prompt you for "elevated" privileges. Only when you accept to use your administrative privileges will the process be started with a token with higher than standard user rights. It really is a much more elegant solution than the stupid effective user in Linux, where the description of a process rights is strongly tied to a user: There must exist a user with the specific sets of rights you want the process to have.
It's possible they have more fine grained control behind the scenes but since the UAC prompt doesn't tell me anything I have to assume that any time I click yes that process can do anything, much like "sudo" on the Linux side. It might be ready for role-based security like on cell phones where they list the particular privileges the application wants, but I don't see it in practice.