Slashdot Mirror

← Back to Stories (view on slashdot.org)

Experts Say To Switch Browsers In Light of IE Vulnerability

Posted by timothy on from the here's-my-number-if-the-place-burns-down dept.

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.

8 of 455 comments (clear)

  1. Wrong summary by OhHellWithIt · · Score: 5, Informative

    Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.

    I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.

    Now, if you don't mind, I'll go back to my nap.

    --
    "Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
  2. No, Microsoft did NOT say to use another browser by Anonymous Coward · · Score: 5, Informative

    RTFA.

    Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

    But Microsoft counselled against taking such action.

    "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

  3. Uhhh, no... by IceCreamGuy · · Score: 4, Informative
    FTS:

    Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched.

    FTA:

    But Microsoft counselled against taking such action.

    "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

    Not trying to downplay the clear reasoning behind switching browsers, but the summary is just blatantly incorrect in this case.

  4. Re:Those that haven't already changed... by Shikaku · · Score: 4, Informative

    http://www.frontmotion.com/Firefox/

    Like this?

  5. Re:Is any browser safe? by Anonymous Coward · · Score: 5, Informative

    Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.

    Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.

    So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.

    Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.

  6. Re:Is any browser safe? by Z34107 · · Score: 4, Informative

    IE never was "welded to the kernel."

    IE exports a COM object, which lets developers add HTML rendering to an application with one line of code. So, that's one reason why they don't want you uninstalling it - HTML rendering is something a lot of Windows applications are expecting the OS to export.

    The closest it came to "welded to the kernel" was Active Desktop where the Windows shell used it to render a web page on your desktop. I think it was also used if you had an HTML background for folders, too. Not sure what happened to it in XP or Vista.

    About the only things that count as kernel-welded in Windows land are device drivers and services, of which IE is neither.

    --
    DATABASE WOW WOW
  7. Re:In other news ... by Pollardito · · Score: 5, Informative
    that's all news that is true, this article is not actually true:

    Said [Trend Micro's] Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

    But Microsoft counselled against taking such action.

    "I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

    He added: "We're trying to get this resolved as soon as possible.

    so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."

  8. Re:Those that haven't already changed... by lysergic.acid · · Score: 4, Informative

    sounds like a stereotypical trojan/adware/malware infection. at least all you're getting are pop-ups. the last one i had to deal with at work also used DNS-hijacking to redirect any webpage request to their spam (porn) site, preventing any web surfing. to make things worse, it wouldn't even allow the user to run certain programs, like notepad, Hijack This!, Internet Explorer (this malware targeted Firefox).

    a fresh install is probably the easiest/quickest way to fix it, but it's not the only solution. with a little sleuthing (Windows Task Manager & Hijack This!) you can usually identify the file & process name(s) of the malware. all the times i've had to deal with that sort of thing, i found the solution in forum discussions on tech support sites (found by googling the file/process name of the trojan). if you're lucky, someone will have made a cleaner program for that particular malware program.

    one of the more frequently encountered malware/adware programs is SmitFraud. that's one i've encountered several times. it cannot be removed by AV programs or spyware/malware removers (though it'll try to get you to purchase and install rogue AV/Anti-Spyware programs). if you do have SmitFraud, then your best shot is SmitFraudFix.