Code Posted For New IE Exploit

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

Firefox 1.5.07?

[jiushao]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit? These stories about IE exploits comes off as pure Microsoft-hate masturbation.

Re:Firefox 1.5.07?

[makomk]

Considering that Firefox is the more common browser on Slashdot, how about doing a story about Firefox 1.5.07 fixing four separate critical heap corruption exploits and an honest to god RSA signature spoofing exploit?

Key word: fixing. As far as I can tell, this security hole is currently unpatched.

Does not affect IE7

[I'm+Don+Giovanni]

This does not affect IE7:
http://blogs.msdn.com/ie/archive/2006/09/15/756736 .aspx

(Just for edification. ;-))

Re:Moo

[vhogemann]

A better alternative would be not use IE at all.

I know most users just don't care, or don't know better. But what about developers and companies? These should be treating IE like a plague, and using it only when there's no other suitable alternatives, on a sandboxed environment.

I used to care about IE compatibility when I designed my pages... but not anymore. I realized that most business already expect some kind of requirements for the software you sell or build for them, mine is a modern browser, with decent CSS support. They even have choices, Firefox, Mozilla, Konquerror, Safari or Opera.

ActiveX should be dead and burried by now. It's broken beyond any possible fix, Microsoft should be required to fix it, or remove it from Windows.

The real difference between Firefox and MSIE

[Myria]

If you look at Firefox security bugs and IE security bugs, you'll see that there are more Firefox bugs than MSIE bugs in the exploit lists. There is, however, a big difference.

When Microsoft finds a security hole themselves, they don't tell anyone, and they don't release a patch. They fix it in the tree for the next release of the OS. The only time they release a patch is when someone else finds the bug. The reason they do this is because if they release a patch, people will "bindiff" it against the previous version and find what is changed so that they can make exploits to use against unpatched users. You can't realistically "bindiff" XP vs. Vista, so they can obscure their security updates inside Vista.

Firefox instead will issue patches no matter who finds them. This is why Firefox appears to have more bugs - you always see them get fixed.

Melissa

Plugin for IE

[univgeek]

Or whatever they are called.

Why do people use IE? Mostly because of Intranet sites which server up IE only content and work badly or not-at-all with other browsers. How 'bout an IE plugin which opens only Intranet/trusted sites in IE and opens all else in an external safe browser? Or is this unlikely to be useful?