New Attack Fells Internet Explorer

alphadogg writes "Attack code has been identified that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser. The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer."

Versions 6 & 7

[Travis+Mansbridge]

Specifically versions 6 & 7, says the article.

CSS Behvaiors?

[DontLickJesus]

If I'm interpreting this correctly, it would appear to be a buffer overflow attack against the "style" element. Seeing that IE6-7 are the only current browsers that handle CSS behaviors (basically javascript in CSS) I'm going to make an educated guess and say it stems from the validation (and execution of) Javascript in CSS.

A great reason to choose Firefox

[simsodep]

There is another story about JS loading with IE7 & IE8. According to 4 of my testers (and a test I did after using the same environment), it seems that we can't login to our site so dep using Internet Explorer 7 and 8, on Win XP (and maybe Vista, not tested). After validating the form, we are back to login page, without any error, but like we are unauthenticated. On the other hand, Firefox does its great job.

Re:Not aware of a patch?

[tepples]

VUPEN Security is not aware of any vendor-supplied patch.

I know most of us would like to pretend IE doesn't exist, but they haven't even heard of IE 8?

Microsoft doesn't make IE 8 for older versions of Windows such as Windows 2000. It'd be like saying Windows 7 is a "vendor-supplied patch" for Windows Vista.

Re:Virus warning

It should tell him that his scanner spots that malicious code, like most AVs: http://www.virustotal.com/analisis/74af02248eb35da5a0e615538f73ecd37e186aef5234da237908ba48290c2aa5-1258907794

Re:Oh good Lord *facepalm*

[Blakey+Rat]

The problem isn't anything Microsoft doing, it's users who don't upgrade their OS. Did you notice the part where this only affects IE6 and IE7? Upgrade to IE8, and, presto, you're immune!

Re:Is that supposed to be news??

The US Air Force only released IE7 to its non-classified desktops earlier this year. Widespread Vista deployment has been pushed from early 2008 to mid-2010 (and that's just the current "best-case" estimate, I expect more delays). IE is necessary for logging into many, many DoD websites using the Common Access Card.

Re:Is that supposed to be news??

[commodore64_love]

I said a *few* years..... as in more than one. Not 90.

Re:Is that supposed to be news??

[MillionthMonkey]

What frigen company has managed to hang on to totally shit piece of web software that depends on windows 6 or 7 to function?
Who ever they are, they have bigger IT problems than this exploit will ever generate.

A lot of people- you'd be surprised. Earlier this year I worked for a place where at least a third of their customers (from academic departments, mostly) were still using IE6 and various IE5 versions.

Re:Is that supposed to be news??

[RobertM1968]

old != unpatched.

For business users, their companies may still insist they use older browsers until they are able to migrate certain software to the new version.

Or upgrade hardware - we have a variety of customers who's machines are too old to run IE7 or IE8 efficiently, and who have no plans (or budget or whatever) to upgrade their hardware until it dies or is very near death.

Re:Oh good Lord *facepalm*

If you think there are 0% Linux and Mac botnets and malware in the wild, you are seriously uninformed.

http://theappleblog.com/2009/04/24/mac-botnet-how-to-ensure-you-are-not-part-of-the-problem/
http://blog.trendmicro.com/more-mac-malware-in-the-wild/
http://lwn.net/Articles/222153/ - Linux botnets
http://blogs.computerworld.com/14723/no_more_linux_security_bragging_botnet_discovery_worry

This is just a small sample. Let's all take security seriously, and leave religion to the gods. (and to head of the claim that it doesn't count if the user has to install something, like a pirated malware-infected Photoshop for OSX, that is the most common Win vector these days as well. Malware is the problem, not viruses.)

Re:Virus warning

[someone1234]

Yes, it detects the code on display, not an actual exploit.
It is crappy AV software.

Re:Is that supposed to be news??

[kbielefe]

Allow me to translate from trollspeak. "no way of doing that" means "no way of doing that, that I could find by clicking around for a minute on the GUI." In this case, I don't even think they did that, because there are options to change how often it prompts for updates, and for applying security updates automatically without prompting.

I really like Ubuntu's choice of default behavior here. Prompting the user to apply updates means no "I lost data because it upgraded while I was in the middle of working on it" kinds of complaints. My wife can wait to apply updates until after an important task she is working on. I can see what packages are being updated before applying them so I know where to be on the lookout for potential problems.

Maybe it makes me an elitist, but I also like that you have to know what you're doing in order to change that default behavior too much. Most of the complaints about foolproof features in software come from people who don't think they are the fools.