Slashdot Mirror

← Back to Stories (view on slashdot.org)

4 New "Extremely Critical" IE Vulnerabilities

Posted by CmdrTaco on from the are-you-ready-for-fun-and-excitement dept.

TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."

18 of 1,081 comments (clear)

  1. Why don't... by Iphtashu+Fitz · · Score: 5, Insightful

    ... all the antivirus companies like Symantec, Sophos, etc. just start classifying IE as a virus. Get rid of IE and most of these viruses/worms will have nowhere to go.

  2. Obligatory FireFox Boosterism by diagnosis · · Score: 5, Insightful

    Obviously anyone who hasn't made all their Windows 'friends' switch to FireFox needs to do so now. Just point them to the download site and send them this article, which nicely explains the benefits of FireFox, and why you have nothing to lose by trying it:
    http://slate.msn.com/id/2103152

  3. Re:Solution: by headblur · · Score: 5, Insightful

    but if i disable active scripting, i won't be able to access the windows update site! what's a girl to do?? ;)

  4. Built one of these, have you? by Saeed+al-Sahaf · · Score: 5, Insightful
    This is a web browser. It's not the most complicated thing in the world.

    Built one of these, have you? Do tell, do tell.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  5. Will the masses heed the warnings? by chia_monkey · · Score: 5, Insightful

    We've been hearing about these vulnerabilities for a while. I for one have switched to using Firefox and Safari for my main browsers as soon as Safari was launched. I use IE only when I come across sites (why can't developers follow the standards that have been set by W3C?) that were coded specifically for IE and don't render properly in the other browsers. Many people in my circle, and in the Slashdot circle have been doing the same thing. But what about the masses? What about the average Joe, the average corporate user? I don't think these people understand the severity of the situation here or that they even care. Hence, we still have roughly 90% of the users out there just moving along with these secure-as-swiss-cheese browsers and not moving to more secure solutions. What major industry, company, government agency, etc has to go down in a giant ball of fire to get people to do something about this and not continue to use a sub-standard product?

    Just imagine if cars were sold with this many problems. Or home security systems...

    --

    "He uses statistics as a drunken man uses lampposts...for support rather than illumination." - Andrew Lang
  6. simple answer by MORTAR_COMBAT! · · Score: 5, Insightful

    because thousands of very large companies (you know, the ones which actually pay for symantec software?) standardised all of their internal applications on IE -- basically meaning they invested millions (billions?) of dollars writing internal web applications which work in IE but no other web browsers. a huge mistake, yes, but you're talking about re-write work on the order of a hundred or so million dollars.

    --
    MORTAR COMBAT!
  7. Re:Breaking News by JimDabell · · Score: 5, Insightful

    What's sad is that Internet Explorer 6 was released about two and a half years ago, has had no new features added, and they still haven't finished fixing it.

  8. Re:IE Developers by phoxix · · Score: 5, Insightful

    You know, for some reason, I feel bad for the IE Developers, who are probably a bunch of well meaning people that are hampered by upper-management decisions.

    No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ?

    That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.

    Sunny Dubey

  9. IE is NOT a web browser by gunnk · · Score: 5, Insightful

    IE is the interface between the user and the Windows OS. It just happens to also act as a web browser. That's what they mean when they say it is integrated as part of Windows.

    Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.

    --
    Life is short: void the warranty.
    1. Re:IE is NOT a web browser by Anonymous Coward · · Score: 5, Insightful

      My guess is at least 90% of the home users DOES run through an account with admin rights.

    2. Re:IE is NOT a web browser by gnuman99 · · Score: 5, Insightful
      Exploit yes, root exploit, no, not unless the user is running as an Administrator.

      Good one. You can't even run some MS developer software without root (hmm, Administrator) privileges! (eg. eVC++ 4.0). And let's not even start about non-MS software (eg, games). Using a MS box without administrative priv. is like having a car with no engine - nothing works!

      Hell, when Administrative priv. are required, what does Windows software do? It pops up, "You have to be running as an Administrator to ...". It doesn't even ask you for Admin. password to complete its function. You just have to relogin. And thanks to the great "multi user capabilities", you have to log out of your current session first.

      Running the OS as a non-Admin is like trying to run with pains-ticks up your ass. And then running as an Admin seems not much better (see story)!!

      PS. I think MS's "Run As..." needs an extra 's'. At least 'su' works!!

  10. Re:Mainstream Media by NanoGator · · Score: 5, Insightful

    "How long is it going to be before some big mainstream press picks these recursive stories up and starts recommending people try another web browser?"

    How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?

    --
    "Derp de derp."
  11. Be Fair! by ackthpt · · Score: 5, Insightful
    At what point do we need to shift the focus here and start posting slashdot stories when they find some code in IE that actually works?

    IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.

    When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.

    Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Be Fair! by Entropius · · Score: 5, Insightful

      What, honestly, does it do right that other browsers consistently get wrong? This isn't a rhetorical question--I'm curious.

      The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.

      IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.

      Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.

    2. Re:Be Fair! by ackthpt · · Score: 5, Insightful
      But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.

      As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.

      I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.

      What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.

      Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.

      --

      A feeling of having made the same mistake before: Deja Foobar
  12. It's hard to stop laughing ... by btsdev · · Score: 5, Insightful

    Microsoft Delays Windows XP Service Pack 2
    Posted by simoniker on Monday July 12, @05:02PM

    MSN, Word Vulnerable To Shell: URI Exploit
    Posted by timothy on Monday July 12, @07:42PM

    4 New "Extremely Critical" IE Vulnerabilities
    Posted by CmdrTaco on Tuesday July 13, @11:45AM

    Microsoft Expects 1 Billion Windows Users by 2010
    Posted by CmdrTaco on Tuesday July 13, @08:14AM

    Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...

    When are the masses going to learn?

  13. The real problem? by bonaman_24 · · Score: 5, Insightful

    The masses won't change becuase these articles are only read by us techies. Even when it is on CNN.com, it is buried in the technology section; where only techies go anyway. Put it on the front page headlines of CNN or USAToday already...

  14. you need a history lesson by dekeji · · Score: 5, Insightful

    To wit -- Here's a little history lesson on why you're wrong. And when Linux starts to get the number and volume of enterprise-level applications that Windows has, these types of history lessons will prove useful. But don't just take the easy way out and say "Yeah Windows sucks" and not try to learn about the mistakes that might just be made again without some perspective.

    UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.

    The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.

    It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.