Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day IE Exploit In the Wild

Posted by ryuzaki0 on from the now-delivering-spyware-to-a-pc-near-you dept.

Eric Sites writes to tell us that a new zero-day IE exploit has been found in the wild. It looks to be a bug in VML in IE. The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

5 of 239 comments (clear)

  1. No surprise by Cold_Lestat · · Score: 5, Insightful

    There are so many of these Zero Day exploits popping up that I'm just not surprised (or that interested) anymore. One thing i can't get over is how this is still happening? The ammount of stigma now attached to IE has really damaged the product. If they are wise (Personal Opinion) I would scrap the entire codebase of IE and start with an entireley new one for VISTA and change the name so the product gets a new start at life. I don't know, call it Vic the Vista internet client (or Voom sounds better). I switched to firefox quite a while ago, before that, Mozilla, before that Opera and what the hey i even think i was using Netscape before IE and have never looked back. Sorry IE ;).

  2. easier solution by User+956 · · Score: 5, Insightful

    The Sunbelt blog notes, "This exploit can be mitigated by turning off Javascripting."

    It can also be mitigated by using firefox.

    --
    The theory of relativity doesn't work right in Arkansas.
  3. Re:No, you need to blame Javascript too. by homerjfong · · Score: 4, Insightful

    Don't be silly. The problem is implementation, not the language itself. The language was designed to do things like open windows, add popups, and manipulate strings. The reason there are security holes is that it was implemented as a fully-priveleged com service, as was IE (via shdowvw). Basically the problem is that Javascript in IE can do anything that IE can do, and that IE can do just about anything, including installing software and monkeying around with files. It's possible to implement IE and Javascript in sandboxes just like you describe java. That's why (for the most part) Firefox is ok. It's only when FFX uses some core windows libraries (like WMF) that it gets into trouble. Now: it should be said that this isn't. strictly speaking, Microsoft's fault. They built a very open. flexible system, which was subsequently exploited by a lot of people who want to do you harm. Nevertheless, in the modern internet environment, they should really lock down what they're doing.

  4. Re:Let's help users move away from IE. by Anonymous Coward · · Score: 5, Insightful

    because their vulnerable computer, once part of a botnet, can be used to help attack our computers.

    why should we get our friends to fix the brakes on their, car? afterall, it's their car, right?

  5. Re:No, you need to blame Javascript too. by masklinn · · Score: 4, Insightful

    ActiveX is what really kicked Netscapes ass because that is what the masses liked, not IE's implementation of JS.

    Uh, no, what "kicked Netscape's ass" is that

    • With IE on your box, you didn't have to download netscape in the first place
    • Netscape 4.7 was a slow ugly, buggy, crash-prone piece of shit
    • Websites looked better in IE.

    In a word, what killed netscape is that MSIE was, at the time, a much better browser than Navigator

    --
    "The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler