New IE Holes Discovered

joelt49 writes "Yahoo! News is reporting that 7 new security holes for Internet Explorer have been discovered by a Chinese researcher; however, there apparantly aren't any attacks on IE yet." The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list. Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

Incident response times

[Tet]

The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

Yep, not ideal. But it'll be interesting to see whether MS's claims of having a faster response time to security incidents that the Linux community stands up. Will they have a patch available withing the next day or so? You can guarantee that the Mozilla or Konqueror communities would have in the same circumstances...

Re:Incident response times

[Troed]

Neither does Microsoft, as shown several times when their updates causes 3rd software to break - even in areas the patch wasn't supposed to touch.

Feel free to Google.

Re:Incident response times

[Chexsum]

Itd be really strange if Mozilla broke my Window Manager or something. What exactly would they need to test it with?

I can understand Internet Explorer needing to be tested against the rest of Windows and its APIs but Mozilla is a stand-alone web browser - as long as the API isnt affected it ['full regression testing'] shouldnt matter too much IMO.

Re:Incident response times

[Avihson]

Microsoft has been using the paying community as QA since at least MS-DOS 4.0 Have you been living in a cave all these years?

The whole premise behind FSF is that it is FREE, the user accepts some responsibility in the transaction, in this case by reporting bugs and helping to test beta versions before the code is released live. You seem to be saying that Microsoft has never released code that was not finished, 100% Quality Assured, no Security holes.....

If you believe so strongly in your statements, why do you post AC?
So I say Mod the Grandparent DOWN, MS whiners be damned!

Re:Incident response times

[Error27]

Please list one problem someone has had because of a Mozilla security fix.

Re:Incident response times

[arkanes]

Doesn't matter - MS claims a 24 hour response time. Lets see it happen.

Re:Incident response times

[Begemot]

... as shown several times when their updates causes 3rd software to break ...

It's even worse when done by design. Once a scoundrel - always a scoundrel.

it wouldn't change anything

[__aaitqo8496]

I don't blame this guy for not going to Microsoft first. Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

P.S. Is it news anymore that IE has holes?

Re:it wouldn't change anything

[muffen]

Given thier track record, more than likely, they would have ignored him until someone publicly announced the problems.

You may be right, but it still doesn't change anything. I think this guy should have told Microsoft first, waited, if they don't respond within 48 hours, report it.
If you get a standard stupid automated copy/paste reply, report the holes.... but you SHOULD give the company some notice. As stated in the article, not giving the company any info just makes it bad for anyone having to use IE.

Is it news anymore that IE has holes?

Nope. Seriously, who here gives a crap about IE holes? Everyone here probably knows that using IE is about as secure as getting water in a fishingnet.

Re:it wouldn't change anything

[AtomicBomb]

It is pretty pathetic to deal with some big software company like Microsoft when reporting bugs... There is no simple way. A friend of mine did some scripting and discovered an obscured w2k bug (no big deal just causing yet another blue screen) by pure chance. He did some detective work and nailed down to the exact condition that triggers the problem. Since we are not doing security or serious low level programming, we don't have links with any relevant person in MS. When contacting the local MS office (we are in a small country, btw), the guy on the other end of the phone had no clue and put us thru technical support. Read: demanding $$$.

At the end, we did not bother. After a few more months, it was made public (not by my friend though). Nowadays, reporting MS bug becomes a dangerous maneouver... If MS is really serious about security and good quality software, they would put a contact on the front page and offer reward for anyone who spots a new major bug. Before then, I don't see why we need to be nice to MS.... They say they are capitalist. We should respect their value and don't do any free work for them...

Re:it wouldn't change anything

[binner1]

I agree with you in theory, but if you look at it from the perspective of "how do you get the average user interested in alternatives?" angle, this might be the way to go.

Consider that people use IE because "it's there," and not generally for any other reason. These people are going to continue to do so until the consequences are too high. Really, the same should apply to corporations too. The more often they get bent over, and the rougher those encounters are, the more the point gets "driven" home...I've been on a campaign lately trying to get people to switch from IE. I've been pushing Netscape 7.x instead of Mozilla though, as I find explaining the difference is tedious to say the least. I'd prefer if they used the AOL-brand free version, but Netscape is better than nothing.

Really, this should go for all MS products with shoddy track records. Any time you have to explain why "the computer was infected with another virus, even though you had AntiVirus software," be very _blunt_ about the reasons. Internet Explorer was designed to kill Netscape, not be secure..."Yes, you're virus signatures were up-to-date (not likely), and you still got a virus." That's because MS knew about the problem 3 months ago but it wasn't made public so they didn't fix it. It's not Norton/McAfee's fault. This virus didn't exist until yesterday...

Now, I'm not saying I think every use should immediately switch to Linux, but I do recommend Mac OS X quite often. I know that nothing is perfect, but it's time people started using _anything_ other than Windows and IE. Don't hide the flaws of the other systems. Yes, Mac OS X did have a problem recently. Nothing is perfect. Most things just happen to be more perfect than Windows and IE.

-Ben

Re:it wouldn't change anything

[ExtraT]

I used to work in Microsoft technical support. From my experience, MS does everything to avoid receiving bug reports from end users, their system is designed in such a way that bug reports are automatically dropped, unless the originate from a pro support client (which pays millions of dollars for support). What this guy did is not only right, but also it is the only moral thing to do. Companies like MS should pay for their bad business practices.

It's hardly bad...

[shfted!]

Sure, a lot of people don't like Microsoft, but that's no reason to make it worse for the millions of people who are forced to use Microsoft products, especially for security holes which have yet to be exploited.

If OSS people can fix the bugs in less than half a day, it should be a piece of cake for a giant software company with lots of programmers to do the same. Sure, a days warning would have been nice, but if there isn't a fix by tonight, it only shows badly on Microsoft.

New Rival to Internet Explorer...

[xirtam_work]

Microsoft are about to announce a replacement for Internet Explorer called 'MS String Vest'.

A spokesman was quoted as saying, "It's the only way we can release a product with more holes than IE".

It is unconfirmed if StringVest will be integrated into Windows XP SP2 or if we will have to wait until LongHorn is released.

I've been trying my best to switch people away

[The+Analog+Kid]

...from IE. I tell people about the built-in pop-up blocker, and the adaptive spam filter in Mozilla. I also tell people about the nice long list of IE vulnerablities like the ones in this article, I've gotten quite a few to switch away from IE, to either Mozilla, Mozilla Firebird, or Opera. It's all about using the big words when you persuade them to switch.

blablabla

The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

Believe me, in these days that is the only way to report bugs AND making sure they'll get fixed.

Dream world scenario:

1) Report bug to company
2) Company will announce the bug to the public
3) Company will fix the bug as soon as possible

Real World scenario 1:

1) Report bug to company
2) They don't report it to the public and they don't fix it
3) You report it to the public
4) Company sues you for IP violation or any other shit they can pull out of their asses

Real World scenario 2:

1) Report it to the public (anonymously).
2) Company will fix it

Immediate full disclosure is best security practic

Seriously - AS SOON AS THERE IS A VULNERABILITY, I, as a sysadmin, want to know about it. I don't give a flying fuck about Microsoft's reputation, or whether "vendors need time to patch the hole" - while there is a known hole, I DON'T WANT MY FUCKING SYSTEM ONLINE. If a nice guy can discover it, the bad guys probably already have.

The "give us time to fix the hole/do a P.R. coverup" fiasco is WHY I DON'T USE MICROSOFT SOFTWARE ANYMORE.

Topic was briefly discussed at NTBugTraq

[Lieutenant_Dan]

Russ Cooper made some good points.

I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.

Forced?

[Call+Me+Black+Cloud]

the millions of people who are forced to use Microsoft products

I'm not forced to use Windows - I use it by choice. So does everyone else I know who uses Windows. As you may know, there is a viable alternative to Windows: OS X.

Oh wait, actually at my last job I was forced to use Windows. When the company purchased a new computer for me (I'm a software developer) I requested an Apple but was turned down. They didn't want to spend the money and didn't want to deal with integration on the network. I doubt the number of people being "forced" to use Windows numbers in the millions though. Besides, there was a benefit to the Windows box that the company certainly never intended - a wider variety of LAN games to play head-to-head against my office mate.

Re:Forced?

[MKalus]

I bet you most people in Big Corporations are forced to use windows (not that they know any different).

I know I am forced to use windows at work, even though either a Mac or any Unix Desktop would do.

I ditch IE whenever I can, but for example our HR Website and anything else RELIES on Windows, no way around it.

mom's not sucked into ie anymore

i installed fedora core 1 on her machine on thanksgiving... everything's been great, and her p4 1.8ghz is actually behaving like a machine with that sort of speed, not the slow as poo windows she had before... she was nervous at first, but all her banking/mail stuff works just fine under mozilla.

maybe it's stuff like this that we need, and more people should get their families exposed to it...

momentum, people, momentum.

Public mailing list?

[Amiga+Lover]

The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

Thats because Microsoft's past record is to ignore people who have contacted them privately regarding security issues, or take legal action against them.

If you really wanted something fixed by MS, and the last 15 times you'd contacted them they'd ignored you, but you've seen someone else release information into the wild and get MS's attention re: a fix within hours... WWYD?

Having tried a few of these

[mindstrm]

On Windows XP.. stock up to date installation... these remote EXE exploits he posted don't seem to do anything.

Sometimes it's all about timing

[harmonics]

While my firm is a strong supporter of full disclosure, this is rather over the top.

What makes it worse is the timing, over a holiday weekend (States side), where most systems staff will be unable to apply patches or mitigate risks.

Now this is an Internet Explorer exploit, hence, few people using IE at work over the weekend. It still provides 48 hours for a few unsavory individuals to develop exploits for Monday morning.

We need to exercise better judgement when dealing with vendors and security issues, this isn't the first time things like this have happened, and won't be the last.

Perhaps we should consider spending more effort creating a Security Researchers Organization as has been discussed on BugTraq .

Until we have a strong unified organization I believe we will continue to see unresponsive vendors and poorly timed vulnerability releases.

actually, this is old

[the_mighty_$]

hey folks, this was posted to bugtraq some two months ago.

What I don't understand...

[fermion]

The part about this story that gets to me is that the researcher didn't alert Microsoft before posting to a public mailing list.

What irks me is that MS did not discover these themselves. After all, the closed source, security by obscurity, we can do it all ourselves model of software development is so superior, that we can only draw one of two conclusions. Either their superior technicians found the problems already, but the management decided not to put in the resources to fix it, or their superior technicians did not find the bug, in which case they need to not only fix the problem, but understand why their process so routinely fails.

This is not an issue of hating MS, any more than the other recent alert was an issue of hating Apple. It is an issue of knowing there is a problem out there, but having no power in the official process to correct the problem. The only power the might be had is that of public relations. This is very different from OSS, in which one can potentially affect the development process and at least see that something is being done.

This whole issue of course assumes that dozens of other people have not already found the bug and are exploiting it on small scales not easily detectible by the common methods. And of course does not take into account the ability for people to switch browsers. Just imagine how many lives would have been saved if people had been fully aware of the incompetent design of the Explorer and bought other cars instead.

I can imagine not giving info to MS

[Yaa+101]

These big companies have their mouth full of punishing people that tell they found holes in applications.
Also I find that MS is so bold and arrogant to ask money for everything and tells others to stop doing things for nothing...
Let them pay for the info on security problems...
No payment, no bug reports, period.
They can take care of themselfs? ok let them solve their own problems...

No Exploit, eh?

[GaelenBurns]

What I'm wondering is why the poster of this story didn't do a tad more research before posting. As of yesterday, an exploit for these security holes has been available.

Exploit code, anyone? A simple google search or a Bugtraq archive browse should do it.

Re:No Exploit, eh?

[djdavetrouble]

Truly. Also, if there is exploit code, someone is using it, just maybe not as part of a trojan or virus yet. Patch or no patch, you can bet that there will be an exploit being used in the wild within a matter of hours or a day at the maximum. The latest trojan/worm/virii are programs that deliver huge amounts of machines to spammers and hackers to become part of their DOS botnets or spamnets, with built in backdoors, etc. Were you on irc the day that the mirc xdcc flaw was discovered? I received no less than 30 malformed xdcc requests that day. Discovery of a new flaw is like free candy to script kidz. Twice the 0wned machines, half the hacking.

Perhaps the Microsoft spokesman is lying

[Error27]

These security problems were publically known in September.

What was released recently was sample exploit code.

If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.

The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.

Truly innovative thinking at Microsoft

[YouHaveSnail]

Programmer 1: "Hey, guys, we've really got to do something about the security problems we've been having with IE lately. Any ideas?"

Programmer 2: "I've got an idea! My CS prof used to joke that you could solve any problem by adding one more layer of abstraction. In this case, it's true. Imagine how totally cool it would be if IE was just a regular application. Right now we've got it tangled up in the OS, but if you think about it, there's really no good reason for that. I mean, why does IE need special priviledges just to load files and render some HTML? If we pull it out of the OS, it'll still work fine, and it'll just naturally be subject to all the OS-level protection mechanisms we've got."

Programmer 1: "What?! You're talking madness, man! Are you saying that we should subject one of our own applications to the same forces we use to prevent third parties from gaining too much market share? Egads, that's brilliant! I'll bet we can even patent that..."

Programmer 3: "Guys, the idea certainly sounds cool, but it won't work. Bill said it's impossible. Don't you remember that Netscape trial thing? I know we're not supposed to ever talk about it, but he said it was impossible during his taped deposition. If Bill says it's impossible..."

Programmer 2: "...then it must be impossible. You're right."

Porgrammer 1: "Damn, you're right. Seemed like such a good idea."