Slashdot Mirror
Experts Say To Switch Browsers In Light of IE Vulnerability
It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6,000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
Update: 12/16 21:11 GMT by KD : Microsoft will issue an emergency critical update for IE tomorrow.
I don't see anywhere in TFA that Microsoft has advised people to use another browser. It's other experts. So this is a "dog bites man" story, not the other way around.
Now, if you don't mind, I'll go back to my nap.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
RTFA.
Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.
Neither is Internet Explorer. There is nothing about IE that has anything to do with the kernel. You confusion lies in the fact that you confuse "operating system" specifically with "kernel" which is not completely correct. Absolutely no part or component of Internet Explorer resides in privileged memory.
Internet Explorer, however, is a part of the operating system in that a number of the libraries used in Internet Explorer the browser are modular and can be used through other applications, both first party and third party. Various components of the Explorer shell, such as Active Desktop, are accomplished through hosting the HTML renderer of Internet Explorer. Many applications also rely on those libraries are a variety of functions from rendering HTML to performing simple FTP commands. They could use other means to accomplish the same tasks, but the Internet Explorer API makes it exceedingly easy.
So, no component of Internet Explorer is hosted within the kernel at all. However, Internet Explorer is a part of the operating system in that it is a constituent component of the platform API expected to exist for applications. Removal of those components will break scores of applications.
Note that this vulnerability also does not impact Internet Explorer 7.0 on Windows Vista running within Protected Mode. Yes, the vulnerability can still be exploited and the arbitrary code executed but that code will be contained within a fairly tight sandbox which lacks the privileges to write data to any location, including the user's own profile, even if the current user is running as Administrator. Google Chrome on Windows Vista is the only other browser to use this functionality. No browser can completely prevent buffer overruns in loaded native plug-ins, but browsers may mitigate the effects by sandboxing themselves. Other browsers should take note and follow suit.
so it's not actually Microsoft that's suggesting that people switch browsers, Microsoft has only "urged people to be vigilant while it investigated and prepared an emergency patch to resolve it."