4 New "Extremely Critical" IE Vulnerabilities

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."

Why don't...

[Iphtashu+Fitz]

... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.

Re:Why don't...

[BiggsTheCat]

> /Nowhere to go except, of course, for the next weakest link on the internet-based software chain./

Indeed. Still, though no software is perfect, I still think we'd be a lot safer on Firefox or any browser that doesn't so heavily tie itself to ActiveX and the Windows core.

> /the only way to stop the malware is to stop the malware authors. Bounties work, but to really stop them, we would have to sacrifice a lot of privacy which the internet still (sort of) affords./

Well, yeah, but let's not go the way of Homeland Security for the sake of tracking down script kiddies. One important step would be to require all code coming in from the Internet be signed. Now, you would have to know who published the code before we would install it. Also, any system that allows stuff to be installed in the background with no warning is dangerous. Windows could do like Mac OS X and require the user to enter their password before any system-level actions could be attempted. Also, they could use the Java sandbox idea where untrusted code is locked down.

The problem is not that dangerous code /can/ be written, nor that script kiddies can write dangerous code. The problem is that dangerous code can slip deep into your operating system without providing any notice.

Obligatory FireFox Boosterism

[diagnosis]

Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
http://slate.msn.com/id/2103152

Re:Solution:

[headblur]

but if i disable active scripting, i won't be able to access the windows update site! what's a girl to do?? ;)

Re:Excuse me while I cry...

[Bedouin+X]

ASP.NET in and of itself does not require IE. I develop ASP.NET apps using Mozilla as the primary browser. Sure there are ways to capitalize on IE but it is by no means a requirement unless you choose to make it one.

Built one of these, have you?

[Saeed+al-Sahaf]

This is a web browser. It's not the most complicated thing in the world.

Built one of these, have you? Do tell, do tell.

Re:Built one of these, have you?

[walt-sjc]

Well, it may not be trivial, but MS with it's massive development group, billions in cash, and a "trustworthy computing initiative", they should be able to pull it off correctly. Security always seems to take a back seat to features with MS and that is the core problem with IE. Being integrated to the level it is in the OS means that it drags the security (or lack thereof) of the entire system down with it.

Re:Built one of these, have you?

[davesag]

Security always seems to take a back seat to features with MS and that is the core problem with IE

features? like tabbed browsing? popup blocking, integrated search? do we see that in IE? the only features MS have added to IE in the last 5 years have been 'smart tags' and a bunch of 'enhancements' to the w3c dom, the scripting language, the html tags and so forth which, although they have earned me good money for my sins as a javascripter, just shit people off.

so with security taking *such* a backseat, can we ever expect IE to be secure? all i want is proper CSS and javascript support and i don't want to have to run a testing centre with 160 combinations of browsers and platforms (we had something approaching this at a place i used to work)

Will the masses heed the warnings?

[chia_monkey]

We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?

Just imagine if cars were sold with this many problems. Or home security systems...

simple answer

[MORTAR_COMBAT!]

because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.

Re:simple answer

[chris_mahan]

Not hundreds of millions. Billions, tens of billions.

Because you lose business continuity (all those programmers have to stop doing what they were doing to rewrite the apps, then pick up again later on to waht they were doing, and hopefully haven't forgotten it all), as well as lost opportunities (all that new functionality they could have written instead of unIEfiying their webapps) and all the money the business units lose because they lost the use of the tools that were not developed.

Also, you have to assume that the programmers _can_ rewrite enterprise quality apps in non-browser specific code. That's a stretch as well.

Pulling a number out of my hat, I would say that less than 50,000 programmers in the US can write xhtml+ccs2 compliant code (not that they do--a lot less do, but at least they can.)

As far as companies being burned: suckers. They believed the FUD, bought it hook, line, and sinker, and now, they are royally funked. Oh well. I'll take that paycheck thank you very much.

Re:IE is deprecated

[OxygenPenguin]

I'm not quite sure how this is, but our collective websites run on our server generate around 2 million hits per month, and i would have to say that about 97-98% of them use IE.
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.

Re:Running as Admin

[0123456]

"If people running windows were not so used to running as admin, this would not be a fundemental problem."

If Windows wasn't such a pain in the ass to run as a non-admin user, then this wouldn't be such a fundamental problem.

Re:Breaking News

[JimDabell]

What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.

Re:IE Developers

[phoxix]

You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ?

That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.

Sunny Dubey

IE is NOT a web browser

[gunnk]

IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.

Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.

Re:IE is NOT a web browser

[sqlrob]

Once done, however, almost any problem with IE becomes a root exploit.

Exploit yes, root exploit, no, not unless the user is running as an Administrator. IE still runs at the privileges of the logged on user.

Re:IE is NOT a web browser

My guess is at least 90% of the home users DOES run through an account with admin rights.

Re:IE is NOT a web browser

[Slime-dogg]

That's not exactly true. IE is the web browser, and Explorer is the interface between the user and the windows OS. Windows is very modular in this respect, IE has an executable named "iexplore.exe," and windows explorer is "explorer.exe." "iexplore.exe" is located in the Program Files directory, "explorer.exe" is located in C:\Winnt or C:\Windows.

The two share a vast number of the same controls, and that is why you would think that IE is the same as Windows Explorer. Explorer sort of turns into IE if you try surfing to another site. The process keeps the same name, which leads me to think that IE is luanched as a thread or something. The About box changes, though, to reflect that it is IE that you are using, not Explorer.

The number of exploits that hit windows are caused by this amount of integration, and the sloppy programming that it was built with. It's the activeX component, or the COM control that has the flaw, and the processes just wrap that chunk of code. I imagine that if a flaw was found in KHTML, for instance, it would affect the Konqueror browser as well as Safari (isn't that the one that's KHTML based?). Thankfully, the source is out in the open with KDE, so exploits are typically taken care of with efficiency. Unless it's declared as a bug in Mozilla's bug-traq, and the devs don't want to do anything about it. But that couldn't possibly happen...

Re:IE is NOT a web browser

[Zardoz44]

I try not to with Windows 2000 at home, but if the stupid software companies would get their act together and write their software so that it doesn't need an administrator account to install, or even worse, run, maybe more people would follow recommended practices.

Praise Mozilla (Firefox) for having a single-directory non-administrator install. Intuit (Quicktax) can go to hell...

I'll stop ranting now. Micrsoft didn't help this with their lax security model in 95/98, but 3rd party software isn't helping the situation.

Re:IE is NOT a web browser

[gnuman99]

Exploit yes, root exploit, no, not unless the user is running as an Administrator.

Good one. You can't even run some MS developer software without root (hmm, Administrator) privileges! (eg. eVC++ 4.0). And let's not even start about non-MS software (eg, games). Using a MS box without administrative priv. is like having a car with no engine - nothing works!

Hell, when Administrative priv. are required, what does Windows software do? It pops up, "You have to be running as an Administrator to ...". It doesn't even ask you for Admin. password to complete its function. You just have to relogin. And thanks to the great "multi user capabilities", you have to log out of your current session first.

Running the OS as a non-Admin is like trying to run with pains-ticks up your ass. And then running as an Admin seems not much better (see story)!!

PS. I think MS's "Run As..." needs an extra 's'. At least 'su' works!!

Re:Mainstream Media

[NanoGator]

"How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?"

How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?

Be Fair!

[ackthpt]

At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.

When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.

Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.

Re:Be Fair!

[Grey+Ninja]

If I hadn't already replied to this discussion, I would mod you up for that. I am a web developer who develops for an IE only intranet, so I have learned to hate the browser more than... well, much of anything. It's easy for me to forget that the browser DOES do some things right.

But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.

Re:Be Fair!

[Entropius]

What, honestly, does it do right that other browsers consistently get wrong? This isn't a rhetorical question--I'm curious.

The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.

IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.

Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.

Re:Be Fair!

[ackthpt]

But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.

As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.

I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.

What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.

Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.

Sasser Like Virus for IE?

[89cents]

Can someone explain to me how an IE vulnerability can lead to a Sasser like virus? I thought Sasser was a worm that spread automatically through open ports of unpatched Windows machines, whereas IE vulnerabilities seem to have to be user initiated.

It's hard to stop laughing ...

[btsdev]

Microsoft Delays Windows XP Service Pack 2
Posted by simoniker on Monday July 12, @05:02PM

MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM

4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM

Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM

Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...

When are the masses going to learn?

Sucks to be them

[blunte]

That's why IT management, starting from the top down, needs to plan better.

There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.

The only significant benefit to doing IE-only development is the streamlined development tools.

This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?

The real problem?

[bonaman_24]

The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...

Re:Black Tuesday? wth?

[Nevo]

Imagine Microsoft releasing patches any day of the week/month, with no warning. Several times a month. Imagine yourself running around to each machine patching it, sitting down, and doing it all over again when a new patch comes out.

Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.

You decide which is better.

Re:Mainstream Media

[electroniceric]

While the sitting on the hands question is a fair one, the proper answer is not a commercial - you'll never raise enough money to reach more than a thousand or tens of thousands of people - but media "scandal seeding".

1) Write one or more versions of a news story (many, many stories in the media are dropped in essentially as they were delivered to the media). Hopefully this includes a "human interest angle", like Grandma Sally being redirected goatse.cx or giving up her CC number to ch.ase.com. Use only a minimal of substantive or technical details to avoid people who don't want to think through them. Yes, this is doing reporters' work for them, but that's how you get stuff in circulation when you're outside the loop.

2) Call (email might work, but probably not as well) the editors of Style/Living/Consumer Affairs pages of newspapers and TV stations and pitch em the story. Again, this is reporter work, but it gets the story in the news.

3) Lather, rinse, repeat. Fan the flames by providing more juicy details with human interest angles - disgruntled MS employee, evidence that problem is far wider than acknowledge "they don't want to you to know this...", speculations about apocalyptic collapses of the economy. Involve porn to feed the public's prurient side. Modify the story a bit for consumption by other stations/papers/etc as it evolves.

This is how most political scandals evolve - someone plants the story and fans the flames for a week or two in the public gets tired of it. To do real damage, you sync the stories with lulls in other news and cycles of public mood.

runas is crap

[CaptPungent]

I hate runas, its nothing like su or sudo. Quick rant here, oracle installed with permissions so that only Admin could access the dir. I couldn't change it. Tried to do as I would in KDE and do:

runas /user:Administrator explorer.exe

to pop open an Admin explorer shell to change the permissions on the dir. Just doesn't work. Command ran and nothing happened. In KDE its just a simple

su root -c konqueror

or for me

sudo konqueror

or even ALT+F2, konqueror, "run as different user: root" and enter the password. Had to close everything I was working on (this is my work computer with ssh sessions, code files, and RDP sessions open), log out and log back in as Admin just to simply add my user to the list of allowed users. User-Friendly my ass

you need a history lesson

[dekeji]

To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.

UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.

The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.

It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.