Unpatched IE Flaw Extremely Critical

Durinthal writes "The biggest blip on the security radar over the Thanksgiving holiday was the realization by the security community that an Internet Explorer problem first identified six months ago was a lot worse than it appeared, as what appeared to be only a DoS vulnerability also allows for execution of arbitrary code. The realization caused Secunia to issue a rare 'Extremely Critical' advisory."

Wow

[gcnaddict]

Its so rare that most other things never see the light (or lack thereof) of this rating... I dont think firefox ever got an Extremely Critical rating for any of its bugs :P

Firefox v1.5

[Space_Soldier]

This makes Slashdot exactly on the day Firefox v1.5 is supposed to be released. Apparently, Mozilla want to create a huge marketing campaign, better and larger than the one for v1.0. This is a perfect time to capitalize on this horrible security hole to promote Firefox.

ISC got counter of vulnerable systems

[UnderAttack]

The SANS Internet Storm Center has a counter on their home page showing how many visitors to their site are vulnerable to this particular problem. At this time, looks like it is 43%! (and I assume that people checking the site are more security concious then the average). Also see MSIE 0day exploit.

Worthless eWeek

[TubeSteak]

They just copied half the story from this site:

http://www.security.ithub.com

The Proof of Concept didn't load calc.exe for me. Instead, it crashed my IE windows on WindowsXP SP1.

I run Ad Muncher, so that might have caught and foiled the malicious javascript.

Re:Proof of Concept

[Spy+der+Mann]

I suppose that's because a buffer overflow makes IE6 execute code directly. The scanner (in my case, VShield) noticed there's an exploit in the webpage, but there's nothing else it could do. It's like some security guards saying "hey, a thief opened this door!" and they close the door, but don't catch the thief.

Yes, this is a very dangerous problem.

Re:Slashdot is loosing its edge.

[SComps]

Not to start a flamefest here, but why is it that most of the time any IE article is mentioned, the firefox folks have to come out in force to claim it's some kind of conspiracy by microsoft?

come on guys... could it possibly be that the "browser wars" are fought by the users far more than the developers?

AVG detects it

[bogie]

When I loaded up IE to test it, AVG detects the virus in IE's temp files. Then IE hangs a while and then finally calc loads. But if you kill IE while your waiting it doesn't get a chance to execute. Not a solution but at least it buys you some time to possibily stop it.

Either way MS needs to get off their ass and fix the problem. Oh and as if everyone didn't already know, you should be using anything but IE for web surfing.

Excerpt from email my credit union sent

[smchris]

"Currently, the only work-around is to temporarily discontinue the use of Microsoft Internet Explorer and use another browser, such as FireFox, (this can be downloaded for free at www.mozilla.com) until Microsoft can issue a patch."

Anyone else's bank send out a warning like this bluntly stating that if you use IE, there is nothing the bank can do to protect you?

Firefox vulnerable too

[iambarry]

The proof of concept crashes firefox 1.0.7 (as reported in this thread by numerous others).

I'm not surprised that IE hasn't been patched, but as this vulnerability has been known for some time (this post is a dupe - not that there's anything wrong with that), but why hasn't firefox been patched yet?

Comment removed

[account_deleted]

Comment removed based on user account deletion